Analysis and Practice of network route security attack and defense measures

The security of network routers has been widely discussed. Although we don't see many router intrusion events, many people are impressed by the concept of Routing) only the channel that transmits information from the source node to the target node through the interconnected network is used. In fact, there are many security risks in the vro, but the attacks rarely occur due to frequent hacker access, however, if a router is attacked, the consequences will be unimaginable.

Router Security that cannot be ignored

Router) is one of the most important devices on the Internet, tens of thousands of routers all over the world constitute the "bridge" of the Internet, a giant information network that keeps running around us day and night ". On the Internet, routers play the role of forwarding data packets "station". For hackers, it is usually easier to initiate attacks by exploiting vro vulnerabilities, attacking a vro will waste the CPU cycle, mislead information traffic, and paralyze the network. Generally, a good vro itself will adopt a good security mechanism to protect itself, but this alone is far from enough, to protect the security of a router, the network administrator must take appropriate security measures during the configuration and management of the router.

Router Data Flow

Most popular routers exist in the form of hardware devices, but in some cases, "software routers" are also implemented using programs. The only difference between the two is that the execution efficiency is different. Generally, a router is connected to at least two networks and determines the transmission path of each data packet based on its status of the connected network. The router generates and maintains a table named "route info table", in which the address and status information of other adjacent routers are tracked.

The router uses the routing information table and determines the optimal transmission path of a specific data packet based on optimization algorithms such as the transmission distance and communication fee. This feature determines the "intelligence" of the router. It can automatically select and adjust the data packet transmission status based on the actual running status of the adjacent network, make the best effort to transmit data packets at the optimal route and minimum cost. Whether or not a router runs securely and stably directly affects Internet activities. Whatever the cause, the router crashes, the denial of service, or the operation efficiency decreases sharply, the results will be disastrous.

Router Security Analysis

The security of a router is divided into two aspects: the security of the router itself, and the security of data. Because a router is the core of the Internet and a key device for network interconnection, the security requirements of the router are higher than those of other devices. The host's security vulnerabilities cause the host to be inaccessible at most, vro security vulnerabilities may make the entire network inaccessible.

Vro security vulnerabilities may be caused by management and technical reasons. In terms of management, poor selection of vro passwords, improper use of the routing protocol authorization mechanism, and incorrect routing configurations may cause problems in the router operation, technically, vro security vulnerabilities may include malicious attacks, such as eavesdropping, traffic analysis, counterfeiting, re-transmission, denial of service, unauthorized resource access, interference, and viruses. In addition, there are also software technical vulnerabilities, such as backdoor, operating system vulnerabilities, database vulnerabilities, TCP/IP protocol vulnerabilities, and network services.

Many vro vendors have begun to add security modules to the vro to ensure that the legitimate information is completely, timely, and securely forwarded to the destination, for example, technologies such as firewall, VPN, IDS, anti-virus, and URL filtering are introduced into the vro, which leads to the convergence of routers and security devices. In essence, the vro added to the security module has no difference with the ordinary vro in terms of its function implementation. what is different is that, vrouters added with the security module can enhance the security of packets through encryption, authentication, and other technical means, and effectively cooperate with dedicated security devices to improve the security of the vro itself and the availability of the managed network segments.

To protect the security of the router, we must also consider the configuration of the router. Generally, the router configuration method can be configured through the main control Console port connected to the terminal; the Modem connected to the telephone network at the AUX port, so as to be configured remotely; on the TCP/IP network, you can use the virtual termianl telnet configuration. You can download the configuration from the TFTP Server. In addition, you can also use the network management workstation for configuration. The biggest threat caused by a router attack is that the network cannot be used, and such attacks require a large number of servers close to the backbone network. In fact, a vro has an operating system and software. Compared with other operating systems, the difference is very obvious. Due to the single function, compatibility and ease of use are not considered, and the core is fixed, generally, the Administrator is not allowed to log on remotely. In addition, the number of people who know the vro is very small, so the security problem is not obvious. Sometimes the server crashes occasionally. After the Administrator uses the reboot command, so there is no problem.

Because of this, many vro administrators are not very concerned about this, as long as the network is smooth, because the router is usually maintained by the manufacturer. Even some manufacturers always say: "If you forget the password, please contact the dealer ." In fact, there are many Unix vulnerabilities. What's more, the vro's fragile operating system? Of course, routers generally cannot penetrate into the vro. Because, you cannot log on remotely, and generally the Administrator will not open it. However, there are many vro Denial-of-Service vulnerabilities. In addition, many administrators have a problem. They often work hard on Windows operating system patches, but many administrators are too lazy to handle the patches on the operating system of the vro.

Five types of security control technology for Routers

Access Control Technology: user authentication is the basic technology for implementing user security protection. A vro can use a variety of user access control methods, such as PPP, Web login authentication, ACL, and 802.1x protocols, protects access users from network attacks and prevents access users from attacking other users and networks. The Security Authentication Based on the CA standard system will further enhance the security of access control.

Transmission encryption technology: IPSec is a common protocol used by routers. With this protocol, routers Support the establishment of Virtual Private Network VPN ). IPSec protocol includes ESPEncapsulating Security Payload) encapsulated Security load, AHAuthentication Header) Header authentication protocol and IKE, key management protocol, etc., can be used on public IP networks to ensure the reliability and integrity of data communication, data security is guaranteed to pass through the public network without being intercepted. Because IPSec is easy to deploy, only the routers or hosts at both ends of the security channel support the IPSec protocol, and there is almost no need to change the existing network infrastructure, this is precisely why the IPSec protocol ensures the security of multiple applications, including remote logon, client, server, email, file transmission, and Web access.

Firewall protection technology: vrouters using the firewall function module have the packet filtering function, which can filter and check all received and forwarded packets. inspection policies can be changed and managed through configuration. Routers can also use the NAT/PAT function to hide the Intranet topology and further implement the complex application gateway (ALG) function. Some routers also provide packet content-based protection. The principle is that when a packet passes through the router, the firewall function module can compare the packet with the specified access rule. If the rule permits, the packet will be checked. Otherwise, the packet will be discarded directly, if the message is used to open a new control or data connection, the protection module dynamically modifies or creates rules and updates the status table to allow messages related to the new connection, the returned message is allowed to pass only when it belongs to an existing valid connection.

Intrusion Detection Technology: in the security architecture, intrusion detection IDS is a very important technology. At present, some routers and high-end switches have built-in IDS function modules, the built-in intrusion detection module requires the vro to provide comprehensive one-to-one and multiple-to-one port images) and packet statistics support functions.

HA high availability): to improve its own security, the router must be able to support backup protocols such as VRRP) and have the log management function, in order to make the network data more redundant and more secure.

Router intrusion methods and countermeasures

Generally speaking, the methods used by hackers to attack vrouters are similar to those used to attack other computers on the Internet. in a strict sense, a vro itself is a computer with a special mission, although it may not look as familiar as PCs. Generally, hacker attacks against vrouters are divided into the following two types: one is to obtain management permissions through some means or channels and directly intrude into the system; first, remote attacks may cause the router to crash or cause a significant reduction in operating efficiency. In comparison, the former is more difficult.

In the first intrusion method, hackers generally use the carelessness of system users or known system defects, such as "bugs" in system software, to gain access to the system, the super administrator privilege is obtained through a series of further actions. Generally, it is difficult for hackers to gain control of the entire system from the very beginning. In general, this is a gradually upgraded intrusion process. Because vrouters do not have as many user accounts as normal systems, and they often use dedicated software systems with relatively high security, therefore, it is much more difficult for hackers to obtain the management right of the router system than to intrude into a common host.

Therefore, most of the existing hacker attacks against routers can be classified into the second type of attack methods. The ultimate goal of this attack is not to directly intrude into the system, but to send a large number of "junk" packets to the system by sending aggressive packets to the system or sending them at a certain interval, this consumes a lot of system resources of the router, making it unable to work normally or even crash completely.

A vro is a communication egress between an internal network and the outside world. It acts as a balance between Bandwidth and IP address translation in a network, allowing multiple internal computers to access the Internet simultaneously with a small number of external IP addresses, once a hacker has attacked a vro, the hacker has the right to control the access from the internal network to the external network. If the vro is attacked by a hacker using a denial of service, the internal network cannot access the Internet, it even causes network paralysis. Specifically, we can implement the following countermeasures:

To prevent external ICMP redirection spoofing, we know that attackers sometimes use ICMP redirection to redirect the vro and redirect the information that should have been sent to the correct target to their specified devices for useful information. The command to prohibit external users from using ICMP redirection is interface serial0 no ip redirects.

To prevent external source route spoofing, we know that source route selection uses the data link layer information to select routes for the datagram. This technology spans the routing information at the network layer, allowing intruders to specify an illegal route for the internal network datagram, so that the datagram originally sent to a valid destination will be sent to the specified address of the intruder. Command to prohibit source Routing: no ip source-route.

How can we prevent the theft of internal IP addresses? Attackers may steal internal IP addresses for illegal access. To solve this problem, you can use the ARP command of the Cisco router to bind a fixed IP address to a MAC address. Specific command: arp fixed IP address MAC address arpa.

To prevent smurf at the source site, the key is to prevent all inbound echo requests, which prevents the router from ing the communication directed to the network broadcast address to the LAN broadcast address. You can enter the command no ip directed-broadcast in the LAN interface mode.