Your network system is only as strong as its weakest
Wayne Epperson correspondent
The quietly confident, 24-year-old Chris Wilson has faced some tough challenges
in and around his home base, west of Philadelphia. He is a no-nonsense
hombre, and he can spot your weakness before you can say "intrusion
detection." Wilson is head of the security services division
for WorldNet Technology Consultants (www.wtci.net),
and his specialty is network penetration testing, an audit of
a company's perimeter security. So take it seriously when he
says one of his favorite vulnerabilities is your edge router.
"Everyone forgets about them," Wilson says of the routers. "All
of the clients that have used us for a perimeter audit may be
rock-solid from the firewall forward, but there is always something
open on the router that should be closed. It's the device sitting
out there that everyone forgets about."
Wilson gave as an example a WorldNet attack on a financial institution's
network that was successful because the router had been deployed
improperly. It was not password-protected, and the intrusion led
to deeper access into the company's data.
When Wilson cracks into a router, sometimes he is able to change
routes and route packets to places they should not go, "maybe
route them back to us or route them somewhere else, which would
cause a denial of service on their end," Wilson says.
Wilson adds that some name-brand routers allow Web-based configuration,
and by using combinations of building commands (e.g., ping and
others that have the power of outputting data) a malicious person
can potentially take over the router and "tell that router to
send information in a flood sort of way to another site." A single
router might not cause extensive damage, he says, but if several
routers were involved, the result could be a distributed denial
of service attack.
Hacked routers on the rise
It was an increase in such reports of routers being used in
denial of service attacks that got the attention of the security
watchdog group CERT (www.cert.org)
at Carnegie Mellon University. Members of the CERT incident
response team collaborated with outside experts to write a white
paper outlining "Trends in Denial of Service Attack Technology."
Kevin Houle, coauthor of the paper, says reports sent to CERT
indicate routers are being used as launch points for denial of
service attacks, as platforms for scanning activity, and as proxy
points for obfuscating connections to IRC (Internet Relay Chat)
"Intruders continue to compromise routers, particularly routers
deployed with passwords that have not been changed from the vendor-supplied
default," Houle says.
Routers are attractive targets for hackers because they are part
of the network infrastructure, but they are often less protected
by security policies and monitoring technology, Houle says.
The CERT paper reports "an imminent and real threat, with a potentially
high impact," exists with the potential for routers being used
on direct attacks against the routing protocols that connect the
networks comprising the Internet.
On the issue of router vulnerabilities, Chuck Adams, general
manager of security at NetSolve (www.netsolve.com),
in Austin, Texas, has some long-standing, close knowledge of
Adams, who was a member of the elite Cisco Secure Consulting group
before joining NetSolve last July, says, "The biggest vulnerability,
based on my 15 years in the information security assessment industry,
is authentication. I don't know how many routers in the world
one can telnet to, straight across the Internet, and log in with
the password of Cisco123, assuming it's a Cisco router."
It should come as little surprise that the culprit is not manufacturers
It'll never happen to me
It is not the technology that has the inherent weakness, "it's the management process around the technology that doesn't have security-injected paranoia," Adams says. "You assume you are not a target. You assume no one can do this; therefore, there is no reason to put any extra effort or diligence in managing it."
Wilson of WorldNet says he, too, sees companies in denial about
being an attack risk: "People say, 'We are so small,' or, 'Our
location is here in Rinky Dink, Pennsylvania; nobody cares about
us.' And that is just not the case."
Bob Sensenig, vice president of sales at WorldNet, says the company's
security engineers constantly search websites to find the latest
and greatest hacking techniques to utilize when "we go into hosting
companies or corporate accounts and do vulnerability testing to
make sure they are secure from outside hackers."
Peter Perchansky, president of We Manage Servers (www.wemanageservers.com),
says the managed services and managed security his company provides
to hosting companies and Internet datacenter clients is on the
"We work with companies like WorldNet, where they take the perimeter
and we take inside the fence. We make sure all operating systems
and application patches are up to date," Perchansky says. "When
you look at nimda, Code Red, and similar worms and viruses that
are out there - and nimda simulates a denial of service attack
by consumption of resources - a lot of those worms and viruses
were 100 percent preventable by the application of patches."
Perchansky says even though a hacker may exploit perimeter technologies
to get into a network, We Manage Servers believes in starting
off with a secure foundation, through the proactive application
of patches and making sure all unnecessary services are turned
In nearly all of the security audits performed by WorldNet engineers,
Sensenig says they find that an intrusion detection system (IDS)
should be installed on the network. They recommend several offerings,
from industry-leading products to basic economy versions. If the
companies are not large enough to have their own 2437 monitoring
staff, the IDS can be set up to report back to WorldNet's management
console, where engineers can decipher any suspicious signatures
and take quick action in the event of an attack.
Up the creek without a paddle?
In the opinion of the hired hacker, Chris Wilson, there is no way a company can prevent a distributed denial of service attack. As he says, "If you are targeted, there's nothing you can do." The only proactive steps are to make sure the Web server or services that may be targeted are running on systems that have enough computing muscle to handle thousands of connections simultaneously without dying and to have a close working relationship with your ISP, Wilson says.
"If you are under an attack, the best thing you can do is gather
information about it and contact your ISP, and the trick is to
cut the attack as far up your pipeline as you can," Wilson says.
Wilson says an attack might look like this: "They might be doing
distributed denial of service, which is yielding maybe 4 Mbps
of traffic coming into your network, and you only have a T1 connection
[1.54 Mbps]. If your ISP is a high-enough tier that they have
an OC3 [155 Mbps] connection to the Internet, you can contact
them and ask that they block the ports going to your T1. All of
a sudden, your pipe is no longer flooded."
Even if a company blocks an attack at the firewall, attackers
can flood the pipe and legitimate customers will not be able to
access the network, Wilson says. "So what we are talking about
is using routers in that perspective, using them to launch denial
of service attacks."
NetSolve's Adams says that although security technologies are
great, "if you don't monitor security devices to detect security
events, it's pretty useless. It's another router, another network
device." NetSolve, which provides remote management to clients
globally, applies a real-time response mechanism to security alarms
received automatically in its Austin management center.
"We can implement an access control list or shun the IP address
of an attack when it starts to propagate, thereby reducing the
effects of the attack," Adams says.
In the world of network attacks, hackers will continue trying
to compromise routers, and "it is important to include router
security as your security planning evolves to ensure your routing
infrastructure is protected from intrusion," says Houle of CERT.
Security planning sometimes evolves the easy way, sometimes the hard way. Wilson recalls a horror story about a project that almost went bad.