On a side note, I've been involved with organizing the New England regional Collegiate Cyber-Defense Competition for a while, and one our "Red Team" members was able to make a pretty convincing IOS rootkit using IOS TCL scripting to mask configuration from the students. I don't think any students were able to detect it until word got out after it was used a few years in a row. IIRC, Cisco threatened to sue if it was ever released, so no it's not publicly available. It is possible, however. Don't assume that your routers are any safer than your servers. :-) On Mon, Dec 30, 2013 at 1:35 PM, shawn wilson <ag4ve.us@gmail.com> wrote:
NANOG:
Here's the really scary question for me.
Would it be possible for NSA-payload traffic that originates on our
On Mon, Dec 30, 2013 at 1:17 PM, Lorell Hathcock <lorell@hathcock.org> wrote: private
networks that is destined for the NSA to go undetected by our IDS systems?
Yup. Absolutely. Without a doubt.
For example tcpdump-based IDS systems like Snort has been rooted to ignore or not report packets going back to the NSA? Or netflow on Cisco devices not reporting NSA traffic? Or interface traffic counters discarding NSA-packets to report that there is no usage on the interface when in fact there is?
Do you detect 100% of malware in your IDS? Why would anyone need to do anything with your IDS? Craft a PDF, DOC, Java, Flash, or anything else that can run code that people download all the time with payload of unknown signature. This isn't really a network discussion. This is just to say - I seriously doubt there's anything wrong with your IDS - don't skin a cat with a flame thrower, it just doesn't need to be that hard.
Here's another question. What traffic do we look for on our networks that would be going to the NSA?
Standard https on port 443 maybe? That's how I'd send it. If you need to send something bigger than normal, maybe compromise the email server and have a few people send off some 5 - 10 meg messages? Depends on your normal user base. If you've got a big, complex user base, it's not hard to stay under the radar. Google 'Mandiant APT1' for some real good reading.
-- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net