New Network threat routing attack becomes a network killer

In normal times, there are not many router intrusion events. Therefore, many people think that Routing is just a channel to transmit information from the source node to the target node through the interconnected network. As a matter of fact, there are many security risks of routers. Generally, hackers are not very frequently exposed to attacks, and attacks rarely occur. However, if a router is attacked, the consequences will be unimaginable.
Route security cannot be ignored
A router is a communication outlet between the internal network and the outside world. It balances bandwidth and converts IP addresses in a network, and enables a small number of external IP addresses to allow multiple internal computers to access the Internet at the same time. Once a hacker invades a vro, the hacker has the right to control the internal network access to the external network. Moreover, if a vro is attacked by a hacker, the internal network may not be able to access the Internet, or even paralyze the network.
Generally, the router configuration methods are as follows: Use the master Console port to connect to the terminal configuration; Connect the Modem to the telephone network at the AUX port, and configure the remote connection; on the TCP/IP network, you can use the virtual termianl telnet configuration to download the configuration from the TFTP Server. In addition, you can also use the network management workstation for configuration. The biggest threat caused by a router attack is that the network cannot be used, and such attacks require a large number of servers close to the backbone network. In fact, a vro has an operating system and software. The gap is very obvious compared with other operating systems. Because of the single function, compatibility and ease of use are not considered, and the core is fixed, the Administrator is generally not allowed to log on remotely. In addition, there are few people who know the vro, so its security problems are not obvious. Sometimes the system crashes occasionally. After the Administrator uses the reboot command, there is no problem.
Because of this, many vro administrators are not very concerned about this, as long as the network is smooth, because the router is usually maintained by the manufacturer. Even some manufacturers always say: "If you forget the password, please contact the dealer ." In fact, there are many Unix vulnerabilities. What's more, the vro's fragile operating system? Of course, routers generally cannot penetrate into the vro. Because, you cannot log on remotely, and generally the Administrator will not open it. However, there are many vro Denial-of-Service vulnerabilities. In addition, many administrators have a problem. They often work hard on Windows operating system patches, but many administrators are too lazy to handle the patches on the operating system of the vro.
"Universal password" attack route
As early as in school, Mr. Zhang was very interested in router settings, and the mentor for managing data centers was also an expert in this field, it is said that the operating system of a router in the school data center was decompiled and analyzed by him. According to the instructor, the vro operating system is much simpler than Linux, And the vro of that model has the same password as the computer BIOS, many things are much more convenient, which is why some vro company manuals have the following sentence: "If you forget the password, please contact the dealer." It seems that this situation is not very good for products developed by other software companies. According to Xiao Zhang's conjecture, each vro has a password of 10 thousand. If so, the consequences will be unimaginable.
After graduation, Mr. Zhang joined a network company. Through observing the company's network settings, Mr. Zhang found that because the general machine has a firewall, packet filtering is usually installed on the router, and most routers provide the packet filtering function. What John wants to do now is the "universal password" that the mentor calls, and coincidentally, the vro used in the Unit is also the model that the mentor decompiled, however, to gain control over the connected vro, you still need to pay for it. John chose to intrude the vro management interface. He obtained the login password of the vro to the device, and then checked the configuration of the device, as long as it does not affect the normal operation of the network. Through observation, Xiao Zhang found that the computer and switch with a backup database are in a CIDR block. In principle, it should be accessible. This is true after a small remote test. It seems that we need to use this backup database to "peek" the password.
After finding a reason, John easily enters the backup database, opens the FTP port, and then easily installs a proxy server. Now let's do something else. John went back to his machine and tested the Proxy + software. Download To The http://www.skycn.net, and then all the way "Next" installed on the local machine, after starting the software interface 1.

Figure 1
According to the software prompts in English, open port 4400 of the local address and look at the simple proxy settings. 2.

Figure 2

After the test is completed, John transparently transmits the proxy software to the backup server. After installation, he opens the "Internet Options" under the "Tools" menu of the client IE browser ", open "LAN Settings" under the "connection" tab and select "use proxy server". The following is the IP address of the backup database for proxy + installation, the port number is 4480,3.

Figure 3

In this way, you can view the "universal password" of the vro without knowing it. What Mr. Zhang wants to do now is to install a software router on the backup database server. Then add a rule in the route table to forward all the data of the company's network management computer to the software router of the backup database server, and then turn to the total router by backing up the database server router. After that, Mr. Zhang installed a package filtering software on the router of the backup database server. In this way, the network management system records all the external data packets. As for the data encryption strength, the network management system feels that telnet is a very good login method, which is convenient and self-feels safe. In fact, the data transmitted by telnet is not encrypted. James wondered what DES encryption should be used, so much work might be done in vain.
Rational routing attacks
Traditional packet filtering functions are often seen on routers, while specialized firewall systems generally add function extensions, such as status detection. Packet filtering is a security mechanism. It checks the address, protocol, port, and other information of a single packet to determine whether to allow the packet to pass. Although there are many applications in the network, the final transmission unit is in the form of data packets. This approach is mainly because the network needs to provide shared services for multiple systems. For example, when transferring a file, the file must be divided into small data packets, and each data packet must be transmitted separately. In addition to the content to be transmitted, each packet also includes the source address and target address. Data packets are transmitted from the source network to the destination network through routers in the interconnected network. The packet received by the router knows where the packet is going, and then the router queries its route table. If there is a route to the destination, the package is sent to the next vro or directly to the next CIDR block. Otherwise, the package is discarded. Structure 4.

Figure 4
After placing a filter between the LAN and the Internet, you can ensure that all the communication data between the LAN and the Internet must go through the filter. As a result, Mr. Zhang observed that the packet filtering software was started when the network manager was running the reboot router. Indeed, IP data packets were continuously transmitted during routine detection by network administrators on Monday. During observation, Mr. Zhang immediately downloaded the record file as quickly as possible, restored the settings on the egress router, deleted everything installed on the backup database server, and disconnected the connection. Analyze the intercepted data packets on your machine. According to the previous test and analysis of telnet data packets, the password location is quickly tested in a messy data packet.
Routing defense
Later, Mr. Zhang was promoted to the network management system and made the following changes to the security of the vro: reasonably configure the vro and other network devices, most attacks on routing protocols and remote port configuration can be avoided. Dedicated identification products are used to enhance the login security of routers and other devices. two-factor authentication products are used, this type of product uses the one-time password technology and requires the corresponding authentication hardware to participate in the login process, which can effectively eliminate the risk of password leaks. At the same time, you can clear the permissions of the Postmaster by revoking or revoking the token. At the same time, he also plans to adopt feasible measures to prevent DDOS attacks, including:
First, install a firewall that can guard against Flooding attacks at the main entrances and key nodes, so that the attack effect can be blocked in a relatively small area during the attack, it does not affect the entire network, and can determine the attack source to a certain extent. The disadvantages of this method are also very obvious. First, the cost is very high and many high-performance firewalls need to be configured. On the other hand, bandwidth resources are the main competitor resources of the ISP. Any technology that reduces bandwidth is unfavorable, And the firewall on the Backbone Node will undoubtedly directly affect the valid bandwidth of the ISP. Of course, in order to prevent their tips from being identified by others, Mr. Zhang has developed rules to avoid fake TCP/IP addresses. In this way, attackers cannot impersonate messages from the LAN in a spoofing way. If attackers pretend to be internal machines, they can use filters to effectively prevent attacks.
Second, install network detection devices on the backbone nodes. When such attacks are discovered, you can temporarily block the packets to the target on each route node to protect the network bandwidth and the attacked server. This method is more reasonable than the previous solution because it does not add filtering devices on the backbone line and does not affect network bandwidth. The cost is that this solution requires sufficient computing power for the network detection system to cope with the huge data traffic on the backbone network. At the same time, an attack must have strong processing capabilities and rules for handling the attack in advance.
According to the above analysis, the security of the router cannot be ignored. From the perspective of the entire network, the security risk is not a problem of a certain device. The overall security coordination is the most important. Only when we know ourselves and know ourselves can we win a hundred battles.
Attack and Defense notes
Use smart ABC to close the program
Smart ABC is a very popular Pinyin input method. It is installed by default in all Windows systems, so that you can follow the tips we have introduced. Enter V, forward (up arrow key), Delete, and space in the smart ABC input method, and then crash together with the media program you entered. For example, if you enter WPS, the system will crash and exit with the WPS and input method. Although we usually think it is useless, in some places, such as Internet cafes, we can use this method to deal with Internet cafe billing programs or management programs. This method can deal with all Internet cafe billing procedures. Currently, this vulnerability can be avoided only by deleting the smart ABC input method, instead of using other Chinese input methods such as Ziguang.
Prevent Office folders from malicious programs
Using Office folders to bring malicious programs is a popular method recently. This method is highly concealed and generally won't attract users' attention. Hackers add malicious programs to the end of the Office file, and then use VBA to write a piece of macro code, as long as the user runs the Office file, macro will automatically read and save the executable file at the end of the file, and then run it.
In fact, to successfully use this method to plant malicious programs, we also need to meet the following conditions, that is, the "Level" value in HKEY_CURRENT_USER \ Software \ Microsoft \ Office \ 11.0 \ Word \ Stationery must be 1 or 2. Because when the "Level" key value is 3, it indicates high security. In this case, Word rejects execution of any macros; as long as we set the "Level" key value to 3, it can play a preventive role.