Network equipment emergency response Guide

0x01 Network equipment emergency response

• Due to the lack of data storage in network devices , The function is relatively simple , Therefore, it is less likely to become the ultimate target of the attack .
• Network devices are more likely to act as attackers in Springboard for network intrusion .
  The following discussion will be based on Cisco Router, for example , But these concepts are applicable to the products of most other manufacturers .

0x02 Detection and analysis

• First, start the response process by obtaining the most volatile data .
• The order of volatile states indicates , Information in memory is the most volatile , And stored on hard disk drive or nonvolatile NVRAM The information in is relatively stable .
• So any information in memory that is important for the investigation , You must save it before powering off or changing the state of the running router .
  The steps discussed below are very important for the routers affected in the attack .
• The information derived from these survey steps will allow you to determine whether the router is different from what you expect ,
• If different , It indicates that the router is endangered .
• According to the specific situation of a specific security event , You can choose to ignore or change some of the operation sequences discussed here .

One 、 Establish a router connection

• Before doing anything , Must be established to Router connection .
• The best way to access the router is from Console visit .
• If you connect directly to the router , Then it is less likely to be detected by the attacker who is accessing the network .
• If you use telnet Connect the router , Then an attacker using a sniffer may see your traffic and realize that the investigation is ongoing .
• If console access is not available , Dial up connection or an image SSH All encryption protocols are better than telnet Better choice .
• After establishing the connection of the router , Make sure that The entire session is logged .

Two 、 Record system time

One of the first steps should be to record the system time . Use show clock Command can get system time .

Router>show clock

3、 ... and 、 Identify who is logged in

Next , Is to determine whether someone else logs in to the router . Use show user and systat Command can get results .

Router>show users

Four 、 Determine the normal operation time of the router

The online time of the system since the last restart is also very important . Use show version Command can get this information .

Router>show version

5、 ... and 、 Determine the listening socket

• Routers provide many services that allow remote connections .
• The most famous one is telnet, But there are other services .
• One way to find out if there are other ways to access the router is Determine which port on the router （ Socket ） Monitoring .
• Make sure that the router Which services are running , You can use one External port scanner or Check the configuration file .
• If it is found that the router is allowed to pass 80 Port of web Server for remote management , and port 80 Usually Allow to pass through the firewall .
• This should be the most likely way for an attacker to reach and reconfigure the router .

6、 ... and 、 Storage router configuration

• Cisco Router The configuration information of is stored in NVRAM in , However, it can be stored in NVRAM And directly change the configuration of the router
• The change of configuration is in RAM in Conduct , The configuration is stored in... Only when administrative commands are executed NVRAM in .
• Use show run Command to view the configuration loaded by the current router .
• Show startup-config You can see NVRAM Configuration stored in .

7、 ... and 、 Check the routing table

• manipulation Routing table Is the primary reason to invade the router .
• The routing table can be manipulated in two ways , adopt Command line access And through malicious Router updates packets .
• You can use show ip route Command to view the routing table .

8、 ... and 、 Check the interface configuration

• The interface configuration information of each router can be accessed through show ip interface Command view .
• This command provides a lot of information in a readable form .

Nine 、 see ARP cache

• Attackers sometimes use deceptive IP or MAC Address Bypass security controls ,
• For example, access control list (ACL), Firewall rules or converter port assignment .
• So when investigating such attacks ,ARP Caching can help .
• You can use show ip arp Command view ARP cache .

0x03 Handling of emergency safety events

The following will focus on the response to some types of security emergencies involving routers , Including how to identify conclusive evidence .
We classify the types of security emergencies involving routers in the following ways

• Direct harm
• Routing table manipulation
• Steal information
• Denial of service

One 、 Deal with directly hazardous safety events

The direct harm to the router is any security event that the attacker obtains interactive or privileged access to the router .
Direct harm provides the attacker with control over the router and access to the data stored on the router .

Recover from direct hazardous safety events ,

When recovering from direct harm , All recovery steps should be taken when the router is offline .
Recovery should be opposite to attack . Examples of steps to be taken include the following ：

• Remove all unnecessary services
• Only remote access via encryption protocol is allowed
• Don't allow SNMP Access or read-only access
• Do not use SNMP Password as password for any other access
• Change all passwords
• To configure ACL Only trusted host connections are allowed
• Upgrade the software to the latest version

Two 、 Handle router table manipulation security events

Routers can use a variety of protocols to update their routing tables , These agreements include RIP、OSPF、EIGRP、IGRP、BGP wait .
Attacks involving routing table manipulation , What endangers is the function of the router , Not the router itself .

Investigate routing table manipulation security events

• Use command show ip route View the current routing table .
• If any route fails the routine test , Or the packet appears to be routed to the remote network , Then we need to investigate carefully .
• If an unfamiliar static route appears in the route table , The router may suffer direct harm .

Recover from routing table manipulation security events

Recovering from a routing table attack is simple ：

• Remove harmful static routes and restart the router .
• However, preventing future attacks is somewhat difficult .
• Can be introduced ACL Restrict routers , Make it update only the known good source address .
• The selected routing protocol should allow authentication , And authentication should be enabled .

3、 ... and 、 Deal with security incidents of stealing information

• Typical information that attackers collect from routers includes password 、 Routing and topology Information .
• Recovering from data theft is changing the password , Avoid password reuse and limit the ability of attackers to obtain sensitive information .
• The services that are most likely to cause such incidents are SNMP service , When it is enabled , A default public string is used ：public.
• If this service is enabled , Attackers can get a lot of sensitive network information .

Four 、 Handle denial of service attacks

Denial of service （DoS） Attacks are often directed at routers .
If an attacker can force the router to stop forwarding packets , Then all hosts behind this router are effectively disabled .
DoS Attacks fall into several basic categories ：

• damage Refers to the attack that destroys the activity ability of the router , For example, delete the configuration information or unplug the power
• resource consumption Refers to an attack that reduces the activity of the router , For example, open many connections to the router at the same time
• Bandwidth consumption Refers to an attack that attempts to exhaust the network bandwidth capacity of a router

survey DoS attack

• determine DoS The type of attack should be relatively easy .
• If the router doesn't work at all , It may be a destructive attack .
• First, check the obvious problems . Power Supply 、 Cable and configuration .
• The router restarts from time to time , It may be caused by point-to-point attack , If the performance declines evenly, it may be caused by resource or bandwidth consumption attacks .
• Packet congestion on routers can also cause performance degradation .
• If the router opens the port , Too much SYN Or similar packets can affect the performance of the router .
• in addition , Even if the router does not open the port , Traffic congestion can also affect routers or occupy bandwidth to greatly degrade network performance .
• Distributed denial of service attacks are examples of bandwidth attacks .

from DoS Recover from attack

DoS The attack team network has a serious impact , The recovery process usually involves a mixture of the following measures ：

• Remove the monitoring service
• Upgrade the software to the latest version
• Use ACL Restrict access to listening Services
• use ACL Limit malicious traffic
• Use special anti DoS Attack devices

0x04 Conclusion

• Network devices can play many roles in network attacks , It can be a springboard for attack , The target of attack , It can also be a tool for emergency response .
• For network management , The most important thing is to understand the various functions of network devices , Take advantage of these features , Detect security events 、 Processing and recovery .

Extract

See light point , Look down on , Things are a little lighter .

Life is like the moon , There are profits and losses .

With an indifferent heart , take it calmly .

In the journey of life , It's good to be frustrated , Take advantage of the situation , We should face it naturally .

Don't think too much about life , Will not live too tired , To spend every day happily .