2. AGENDA
Introduction
Overview of Routers
Router Attack Topology
Common Router Attacks
Performing Forensics
Incidence Investigation
Accessing the Router
Documentation
What are the “BAD GUYS” doing
What are the “GOOD GUYS” doing
Why do we need to protect Router Resources
Why do we need outer Forensics
3. INTRODUCTION
It is the application of proven
scientific methods and techniques
in order to recover data from
routers in case of an intruder attack
and apply forensics( law
enforcement, documentation of the
incidence) .
4. WHAT IS ROUTER?
A computer that specializes in sending
packets over the data network. They are
responsible for interconnecting n/w by
selecting the best
path for a packet
to travel to their
destinations.
5. HOW DOES ROUTER WORK
Routers forward data packets from one
router to another using various routing
protocols and routing table, to choose the
optimum path.
The routing table
may contain
various fields.
13. GATHER VOLATILE ROUTER DATA
Connect to console port for this need cable
and laptop with terminal emulation software.
Record System Time and determine who is
logged on
Save the router configuration.
Review the routing table to detect malicious
static routes modified by attacker.
View the ARP cache for evidence for IP or MAC
spoofing
14. INCIDENCE INVESTIGATION
Direct compromise: via physical access,
listening services, password guessing by TFTP,
console access
Routing table manipulations: by
modifying routing protocols( RIP, IGRP), review
routing table with “show IP route”
Theft of Information: via access control
and network topology
DoS: resource and bandwidth consumption
reduces functionality and n/w bandwidth
15. Contd...
FOR RECOVERY:
Eliminate listening services
Upgrade of software
Access restriction
Authentication
Change all passwords
Avoid password reuse
Remove static routing entries
16. ACCESSING THE ROUTER
DO
Access the router
through the console
Record your entire
console session
Run show commands
Record the actual
time and the router’s
time
Record the volatile
information
DON’T
REBOOT THE
ROUTER
Access the router
through the
network
Run configuration
commands
Rely only on
persistent
information
17. DOCUMENTATION
Chain of Custody: to prove the integrity
of the evidence
Case reports: employee remediation,
employee termination ,civil proceedings,
criminal prosecution, case Summary,
bookmarks
Incident response: it is the effort of an
organisation to define and document the
nature and scope of a computer security
incident.
18. WHAT THE “BAD GUYS” ARE DOING
Internet Router Protocol Attack Suite
(IRPAS): A suite of tools designed to abuse
inherent design insecurity in routers and routing
protocols –Tools: ass, igrp, hsrp
VIPPR: Can be used to establish MITM for
compromised routers
UltimaRatio: Working exploit tool for use
against 1000, 1600/1700 and 2600 series routers
Research
19. WHAT THE GOOD GUYS ARE
DOING
Router Audit Tool (RAT): Written in Perl,
highly customizable, Passive tool to analyze a
Cisco router, Scores the overall security of your
router, Support for Unix and Windows systems
Books, white papers on securing routers
Employ strong authentication: encrypted
traffic mgmt, two phase authentication,
centralised authentication source.
20. WHY WE NEED TO PROTECT
ROUTER RESOURCES
Often the “heart” of the network
Gaining a lot more attention from attackers
Few procedures on hardening routers
Routers are much slower to get upgraded to
solve security bugs
Few people monitor their configurations
regularly
Few security measures in place
There are millions of them
21. NEED FOR ROUTER FORENSICS
Operational Troubleshooting
Log Monitoring
Data Recovery
Data Acquisition
Due Diligence/Regulatory compliance