[87921] in North American Network Operators' Group
Re: Is my router owned? How would I know?
daemon@ATHENA.MIT.EDU (Alexei Roudnev)
Sat Jan 14 05:02:42 2006
From: "Alexei Roudnev" <alex@relcom.net>
To: "Mikael Abrahamsson" <swmike@swm.pp.se>,
"NANOG" <nanog@merit.edu>
Date: Sat, 14 Jan 2006 01:56:27 -0800
Errors-To: owner-nanog@merit.edu
Some Cisco IOS'es have numerous bugs, related to SNMP (I watched few cases,
when all Cisco's 72xx lost configuration becuase of receivbing something
bogus), so SNMP should be filtered out from public internet.
----- Original Message -----
From: "Mikael Abrahamsson" <swmike@swm.pp.se>
To: "NANOG" <nanog@merit.edu>
Sent: Thursday, January 12, 2006 2:09 PM
Subject: Re: Is my router owned? How would I know?
>
> On Thu, 12 Jan 2006, Rob Thomas wrote:
>
> > If there are new or changed SNMP RW community strings, look out!
>
> If you have any SNMP v1/v2 RW communities what so ever, you're likely to
> be owned, at least if they're common to several units in your network and
> you don't limit what part of the tree the RW communities can access.
>
> Seems like a common attack vector is to send SNMP WRITE and upload the
> router configuration to a hacked tftp server, and then iterate thru the
> network as a lot of people have a single SNMP WRITE community in their
> network.
>
> --
> Mikael Abrahamsson email: swmike@swm.pp.se
