[c-nsp] Worst case: Compromised Internet router?

William McCall william.mccall at gmail.com
Sat Apr 25 23:57:15 EDT 2009


On Sat, Apr 25, 2009 at 8:24 PM, John Edwards <john at vocus.com.au> wrote:

> On 26/04/2009, at 8:31 AM, Jared Mauch wrote:
>
>  What if they set up lawful intercept on the device? That could relay all
>> your packets without visible configuration, or just the "interesting" ones.
>>
>
>
What about this one:

Spammer has a fat pipe, but IRL, their IPs get blacklisted pretty quickly.
What about a compromised box being used with a tunnel (GRE or L2TP) to
utilize your compromised box and related IP space for the funness?

I recently had a discussion with a spammer who has wondered why the spam
industry hasn't turned to this as a solution. He said that after running a
scan of about /16 worth of machines, he found over 1000 Cisco routers with
cisco/cisco for u/p. Now, he is a legitimate person (relative to the spam
world), but the nefarious type could certainly exploit it for whatever
benefit they saw fit. The possibilities are endless for a compromised
router. With the TCL interpreter, you could even turn compromised routers
into small botnets.

When you ask yourself "what can a compromised router do?" ask yourself "What
can a compromised host do with small disk space and limited processing
power?" Some routers are beefier than others, but the majority... eh, not so
much.


More information about the cisco-nsp mailing list