[183784] in North American Network Operators' Group
Re: Synful Knock questions...
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Wed Sep 16 10:45:21 2015
X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: NANOG <nanog@nanog.org>
Date: Wed, 16 Sep 2015 21:45:12 +0700
In-Reply-To: <CAOe-DYCFfTd2uTpbY9s5ikd4zpUQiUi5M2zevG14s=Br6BOvrA@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On 16 Sep 2015, at 21:00, Michael Douglas wrote:
> It's unlikely the routers that got exploited were the initial entry
> point of the attack.
I understand all that, thanks.
> At this point when they start messing around with routers, you're
> going to
> see activity coming from the intended internal management range using
> legit
> credentials.
It would still be quite difficult, and readily detected if accomplished,
had BCPs such as AAA, per-command auth, per-command logging, and
monitoring of same been implemented. Plus, iACLs would prevent C&C
comms, and monitoring of all traffic to/from router interfaces would
potentially pick that up, as well.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
