<<< Date Index >>>     <<< Thread Index >>>

router worms and International Infrastructure [was: Re: IOS exploit]



The text below is an email I just sent to the North American Network Operators Group. I believe asking for bugtraq's opinion is also critical.

Thanks,

        Gadi.


Michael.Dillon@xxxxxxxxxxxxx wrote:
Reading through the original Russian posting here
http://www.securitylab.ru/news/240415.php&direction=re&template=General&cp1=
It seems that someone has built an IOS worm that
follows an EIGRP vector from router to router.

A while back I emailed the following text to a closed mailing list. I
figure now that quite a few cats are out of the bag it is time to get
more public attention to these issues, as the Bad Guys will very soon
start doing just that.

Ciscogate by itself ALONE, and now even just a story about worms for
Routers is enough for us to be CLEAR that worms will start coming out.
We do learn from history.

So.. as much as people don't like to talk much on the issues involving
the so-called "cooler" stuff that can be done with routers, now is the
time to start.

Here is one possible and simple vector of attack that I see happening in
the future. It goes down-hill from there.

I wrote this after the release of "the three vulnerabilities", a few
months back. Now we know one wasn't even just a DDoS, and that changes
the picture a bit.

Begin quoted text ----->>>

More on router worms - let's take down the Internet with three public
POCs and some open spybot source code.
--------------------------------------

People, I have given this some more thought.

Let's forget for a second the fact that these vulnerabilities are
dangerous on their own (although it's a DoS), and consider what a worm,
could cause.

If the worm used the vulnerability, it would shoot itself in the leg as
when network is down, it can't spread.

Now, imagine if a VX-er will use an ancient trick and release the worm,
waiting for it to propagate for 2 or 3 days. Then, after that seeding
time when the say.. not very successful worm infected only about 30K
machines around the world, each infected host will send out 3 "One
Packet Killers" as I like to call them to the world.

Even if the packet won't pass one router, that one router, along with
thousands of others, will die.

Further, the latest vulnerabilities are not just for Cisco, there is a
"One Packer Killer" for Juniper as well.

So, say this isn't a 0-day. Tier-1 and tier-2 ISP's are patched (great
mechanism to pass through as these won't filter the packed out if it is
headed somewhere else), how many of the rest will be up to date?

Let's give the Internet a lot of credit and say.. 60% (yeah right).

That leaves us with 30% of the Internet dead, and that's really a bad
scenario as someone I know would say.

Make each infected system send the one packet spoofed (potentially, not
necessarily these vulnerabilities) and it's hell. Make them send it
every day, once! And the net will keep dying every day for a while.

As a friend suggested, maybe even fragment the packet, and have it
re-assembled at the destination, far-away routers (not sure if that will
work).

These are all basic, actually very basic, techniques, and with the
source to exploits and worms freely available....
We keep seeing network equipment vulnerabilities coming out, and it is a
lot "cooler" to bring down an ISP with one packet rather than with
1,000,000,000,000,000.

I am sure the guys at Cisco gave this some thought, but I don't believe
this is getting enough attention generally, and especially not with
AV-ers. It should.

This may seem like I am hyping the situation, which is well-known. Still
well-known or not, secret or not, it's time we prepared better in a
broader scale.

How?

    Gadi.

----->>> End quoted text.

I would really like to hear some thoughts from the NANOG community on
threats such as the one described above. Let us not get into an argument
about 0-days and consider how many routers are actually patched the
first... day.. week, month? after a vulnerability is released.

Also, let us consider the ever decreasing vulnerability-2-exploit time
of development.

I don't want the above to sound as FUD. My point is not to yell "death
of the Internet" but rather to get some people moving on what I believe
to be a threat, and considering it on a broader scale is LONG over-due.

The cat is out of the bag, as as much as I avoided using "potentially"
and "possibly" above to pass my point.. this is just one possible
scenario and I believe we need to start getting prepared to better
defending the Internet as an International Infrastructure.

As I am sure that this will be an interesting discussion, I am also sure
this will eventually derail to a pointless argument over an un-related
matter, here on NANOG.
I'd appreciate if people who are interested would also email me off-list
so that we can see how we can perhaps proceed with some activity.

Thanks,

        Gadi Evron.

--
Available for consulting:
+972-50-5428610 / ge@xxxxxxxxxxxxx