16 Sep
2015
16 Sep
'15
10:45 a.m.
On 16 Sep 2015, at 21:00, Michael Douglas wrote:
It's unlikely the routers that got exploited were the initial entry point of the attack.
I understand all that, thanks.
At this point when they start messing around with routers, you're going to see activity coming from the intended internal management range using legit credentials.
It would still be quite difficult, and readily detected if accomplished, had BCPs such as AAA, per-command auth, per-command logging, and monitoring of same been implemented. Plus, iACLs would prevent C&C comms, and monitoring of all traffic to/from router interfaces would potentially pick that up, as well. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>