Michael.Dillon@btradianz.com wrote:
Reading through the original Russian posting here http://www.securitylab.ru/news/240415.php&direction=re&template=General&cp1= It seems that someone has built an IOS worm that follows an EIGRP vector from router to router.
A while back I emailed the following text to a closed mailing list. I figure now that quite a few cats are out of the bag it is time to get more public attention to these issues, as the Bad Guys will very soon start doing just that. Ciscogate by itself ALONE, and now even just a story about worms for Routers is enough for us to be CLEAR that worms will start coming out. We do learn from history. So.. as much as people don't like to talk much on the issues involving the so-called "cooler" stuff that can be done with routers, now is the time to start. Here is one possible and simple vector of attack that I see happening in the future. It goes down-hill from there. I wrote this after the release of "the three vulnerabilities", a few months back. Now we know one wasn't even just a DDoS, and that changes the picture a bit. Begin quoted text ----->>> More on router worms - let's take down the Internet with three public POCs and some open spybot source code. -------------------------------------- People, I have given this some more thought. Let's forget for a second the fact that these vulnerabilities are dangerous on their own (although it's a DoS), and consider what a worm, could cause. If the worm used the vulnerability, it would shoot itself in the leg as when network is down, it can't spread. Now, imagine if a VX-er will use an ancient trick and release the worm, waiting for it to propagate for 2 or 3 days. Then, after that seeding time when the say.. not very successful worm infected only about 30K machines around the world, each infected host will send out 3 "One Packet Killers" as I like to call them to the world. Even if the packet won't pass one router, that one router, along with thousands of others, will die. Further, the latest vulnerabilities are not just for Cisco, there is a "One Packer Killer" for Juniper as well. So, say this isn't a 0-day. Tier-1 and tier-2 ISP's are patched (great mechanism to pass through as these won't filter the packed out if it is headed somewhere else), how many of the rest will be up to date? Let's give the Internet a lot of credit and say.. 60% (yeah right). That leaves us with 30% of the Internet dead, and that's really a bad scenario as someone I know would say. Make each infected system send the one packet spoofed (potentially, not necessarily these vulnerabilities) and it's hell. Make them send it every day, once! And the net will keep dying every day for a while. As a friend suggested, maybe even fragment the packet, and have it re-assembled at the destination, far-away routers (not sure if that will work). These are all basic, actually very basic, techniques, and with the source to exploits and worms freely available.... We keep seeing network equipment vulnerabilities coming out, and it is a lot "cooler" to bring down an ISP with one packet rather than with 1,000,000,000,000,000. I am sure the guys at Cisco gave this some thought, but I don't believe this is getting enough attention generally, and especially not with AV-ers. It should. This may seem like I am hyping the situation, which is well-known. Still well-known or not, secret or not, it's time we prepared better in a broader scale. How? Gadi. ----->>> End quoted text. I would really like to hear some thoughts from the NANOG community on threats such as the one described above. Let us not get into an argument about 0-days and consider how many routers are actually patched the first... day.. week, month? after a vulnerability is released. Also, let us consider the ever decreasing vulnerability-2-exploit time of development. I don't want the above to sound as FUD. My point is not to yell "death of the Internet" but rather to get some people moving on what I believe to be a threat, and considering it on a broader scale is LONG over-due. The cat is out of the bag, as as much as I avoided using "potentially" and "possibly" above to pass my point.. this is just one possible scenario and I believe we need to start getting prepared to better defending the Internet as an International Infrastructure. As I am sure that this will be an interesting discussion, I am also sure this will eventually derail to a pointless argument over an un-related matter, here on NANOG. I'd appreciate if people who are interested would also email me off-list so that we can see how we can perhaps proceed with some activity. Thanks, Gadi Evron. -- Available for consulting: +972-50-5428610 / ge@linuxbox.org.