[183765] in North American Network Operators' Group
Re: Synful Knock questions...
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Sep 15 15:06:25 2015
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAOe-DYDdGBDFgxjuHGk_kdN_jR6-Er+ytfz9-Ad-Fm=YquqBzA@mail.gmail.com>
Date: Tue, 15 Sep 2015 15:01:50 -0400
To: Michael Douglas <Michael.Douglas@IEEE.org>
Cc: nanog list <nanog@nanog.org>, Jake Mertel <jake.mertel@ubiquityhosting.com>
Errors-To: nanog-bounces@nanog.org
> On Sep 15, 2015, at 2:50 PM, Michael Douglas =
<Michael.Douglas@IEEE.org> wrote:
>=20
> Wouldn't the calculated MD5/SHA sum for the IOS file change once it's
> modified (irrespective of staying the same size)? I'd be interested =
to see
> if one of these backdoors would pass the IOS verify command or not. =
Even
> if the backdoor changed the verify output; copying the IOS file off =
the
> router and MD5/SHA summing it on another host should show a =
difference. I
> guess maintaining the file size is to prevent something like RANCID =
firing
> off a diff on the flash dir output.
There=E2=80=99s plenty of ways to detect/watch this. you should check =
both the image and the unzip of
the image. (yes, you heard me, unzip).
I know people who did modify their IOS images to disable various checks. =
It=E2=80=99s not
hard nor impossible.. Look at the dynamips stuff where people used them =
on 7200 images.
my experience is that most people don=E2=80=99t upgrade or audit their =
routers, nor do
they even have an inventory of them. This is quite common for most =
enterprise=20
networks and less common in SP environments.
Either way, it=E2=80=99s hard to track assets and validate software, =
most people are off
to the next fire/outage.
- Jared=
