Security

Fighting Router DoS

The latest form of Denial of Service (DoS) attacks targets routers. ISPs need to protect these vital elements of the Internet infrastructure with tools ranging from common sense to the latest software.

by Jim Freund Managing Editor of CrossNodes, an EarthWeb site [November 8, 2001]

We all yearn for the more innocent era when the acronym DOS stood for your Disk Operating System, or even the Department of State. Today, however, it is a term that brings a chill to many technologists—Denial of Service (DoS). Initially, this was largely the realm of minor miscreants, who wanted no more than to target specific websites they thought would be cool to disrupt. But now a greater chill has begun to set in as attacks have begun to target routers.

Of late, the hacker community has taken to discussing 'router protocol attacks' in listservs, Usenet, and at conferences. Attacks against routers can have serious consequences for the Internet at large. Routers can be used for direct attacks against the routing protocols that interconnect the networks comprising the Internet, therefore causing serious service availability issues on a large scale.

ISPs need to deal with these threats in order to protect both their own interests and the interests of all networks to which they connect.

The crackers' attraction
Crackers perceive router attacks as attractive for several reasons. Unlike computer systems, routers are generally buried within the infrastructure of an enterprise. Often, they are relatively less protected by monitors and security policies than computers, providing a safer harbor within which the miscreant can operate. Many routers are poorly deployed, with the vendor-supplied default password the only wall between network security and ruination.

Documents circulate the Internet supplying advice on procedures for breaking into a router and changing its configuration. Once compromised, the router can be used as a platform for scanning activity, 'spoofing' connections (disguising the origin of packets), and as a launch point for DoS attacks.

According to Laurie Vickers, a Senior Analyst at Cahners In-Stat Group, "A router is the gateway to a company. They have been the target of hackers and Script Kiddies for quite some time now, but what seems to be occurring is that the hackers are growing more sophisticated. They're finding that the front door is locked, so they go around back and see that the patio door has been left open."

Vickers asserts that router attacks can prove devastating to networks as managers try to determine, "Which box will it be? Routers often integrate VPN services and/or firewalls, and these make them even juicier targets." Once the router is compromised, the entire network could be up for grabs.

A further area for concern is what Carnegie Mellon's Computer Emergency Response Team (CERT) Coordination Center refers to as the shrinkage of 'Time-To-Exploit'. In other words, once a vulnerability in a system or device has been discovered, it takes less time to exploit it—perhaps less time than it takes to author or deploy a security patch.

Even more intimidating, don't look for a particular group or individual to target your systems. Tools used to initiate DoS attacks and to propagate the 'attack toolkits' (the collection of instructions used for the attack) are increasingly automated. Scripts are frequently used for scanning, exploitation, and deployment.

What to do?
Traditional security solutions are often outwitted by DoS attacks. Firewalls and Intrusion Detection Systems (IDS) are designed to detect attacks against individual servers or hosts—not the network infrastructure.

To combat this, several companies have worked on solutions specific to DoS attacks.

Arbor Networks helped pioneer this field with their product, PeakFlow DoS, which deploys data collectors which analyze traffic flow (before it reaches your routers or firewalls) and searches for anomalies. Such intelligence is forwarded to a controller, which in turn attempts to trace the attack back to its source. In the meantime, the controller sends filter recommendations to the network managers, which can be deployed to attempt to divert the attack. Prices for enterprise deployment begin at $130,000, and there are plans to provide similar protection as a monthly-billed service for smaller networks.

Tripwire's Tripwire for Routers takes a more modest approach of monitoring a Cisco router's startup and configuration files, and notifying you of any changes from that device's trusted state. (The router needs to be running IOS 11.3, 12.0, or 12.1.) It is currently only available for Solaris 7 or 8 workstations; a Windows 2000 version is forthcoming. Pricing is scaled based on how many routers will be covered, and an evaluation version of the software is available for download.

On the low end, some common sense is your first, and perhaps your best defense. Make sure you're aware of every connection from the outside world that has access to your router. Be sure that you have changed the default security configurations, especially the password. We have more information in Protect Your Network From a DoS Attack.

These new trends in DoS attacks demonstrate that threats to availability of service—be they against a network or the Internet at large—are likely to become more sophisticated as time goes on. Aside from the impact on your network, lack of diligence on router and infrastructure security could make you an unwitting conveyor of DoS attacks. Stay aware of developments, and hold yourself accountable for your network's security on all fronts, and you should be able to avoid disaster.

—End