[163682] in North American Network Operators' Group
Re: huawei
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Thu Jun 13 22:58:17 2013
In-Reply-To: <CAMrdfRzfj5-VBFXfqWv90H2CCAne1v5yb6FaoApx68Sa1WR84A@mail.gmail.com>
Date: Thu, 13 Jun 2013 21:57:50 -0500
From: Jimmy Hess <mysidia@gmail.com>
To: Scott Helms <khelms@zcorum.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 6/13/13, Scott Helms <khelms@zcorum.com> wrote:
> Targeted how without an active C&C system?
How have you determined that there is not one?
Conceptually, the "simplest" backdoored router, could have a
mechanism, where crafted packets that would ordinarily be forwarded
on, contain some "magic bit pattern" in the source address or other
parameter, that cause the packet to bypass ACLs and be punted
directly to software.
So the simplest conceivable C&C system, could be "one guy"
checking if random IP addresses they have personally decided are
interesting, are behind a backdoored router.
By sending a crafted port 53 DNS request, with some encrypted
material with a digitally signed hash based on a timestamp, the
source IP, and the destination IP being probed.
And waiting for the magicaly structured "ICMP Destination
unreachable/Admin prohibited" error reply packet, containing some
covert bit pattern confirming the presence and system identification
of a backdoored unit on the path to the 'interesting' remote host.
--
-JH
