Router worms and International Infrastructure

hello all, this is my first blog posting. i am making it to highlight some concerns i have regarding the security of the internet.

i recently raised this subject on nanog, bugtraq and our own fun list – funsec.

a while back i emailed the following text to a closed mailing list. i
figure now that quite a few cats are out of the bag it is time to get
more public attention to these issues, as the bad guys will very soon
start doing just that.

ciscogate by itself alone, and now even just a story about worms for
routers is enough for us to be clear that worms will start coming out.
we do learn from history.

so.. as much as people don’t like to talk much on the issues involving
the so-called “cooler” stuff that can be done with routers, now is the
time to start.

here is one possible and simple vector of attack that i see happening in
the future. it goes down-hill from there.

i wrote this after the release of “the three vulnerabilities”, a few
months back. now we know one wasn’t even just a ddos, and that changes
the picture a bit.

begin quoted text —–>>>

more on router worms – let’s take down the internet with three public
pocs and some open spybot source code.

people, i have given this some more thought.

let’s forget for a second the fact that these vulnerabilities are
dangerous on their own (although it’s a dos), and consider what a worm,
could cause.

if the worm used the vulnerability, it would shoot itself in the leg as
when network is down, it can’t spread.

now, imagine if a vx-er will use an ancient trick and release the worm,
waiting for it to propagate for 2 or 3 days. then, after that seeding
time when the say.. not very successful worm infected only about 30k
machines around the world, each infected host will send out 3 “one
packet killers” as i like to call them to the world.

even if the packet won’t pass one router, that one router, along with
thousands of others, will die.

further, the latest vulnerabilities are not just for cisco, there is a
“one packer killer” for juniper as well.

so, say this isn’t a 0-day. tier-1 and tier-2 isp’s are patched (great
mechanism to pass through as these won’t filter the packet out if it is
headed somewhere else), how many of the rest will be up to date?

let’s give the internet a lot of credit and say.. 60% (yeah right).

that leaves us with 30% of the internet dead, and that’s really a bad
scenario as someone i know would say.

make each infected system send the one packet spoofed (potentially, not
necessarily these vulnerabilities) and it’s hell. make them send it
every day, once! and the net will keep dying every day for a while.

as a friend suggested, maybe even fragment the packet, and have it
re-assembled at the destination, far-away routers (not sure if that will

these are all basic, actually very basic, techniques, and with the
source to exploits and worms freely available….
we keep seeing network equipment vulnerabilities coming out, and it is a
lot “cooler” to bring down an isp with one packet rather than with

i am sure the guys at cisco gave this some thought, but i don’t believe
this is getting enough attention generally, and especially not with
av-ers. it should.

this may seem like i am hyping the situation, which is well-known. still
well-known or not, secret or not, it’s time we prepared better in a
broader scale.


—–>>> end quoted text.

i would really like to hear some thoughts from the community on
threats such as the one described above. let us not get into an argument
about 0-days and consider how many routers are actually patched the
first… day.. week, month? after a vulnerability is released.

also, let us consider the ever decreasing vulnerability-2-exploit time
of development.

i don’t want the above to sound as fud. my point is not to yell “death
of the internet” but rather to get some people moving on what i believe
to be a threat, and considering it on a broader scale is long over-due.

the cat is out of the bag, as as much as i avoided using “potentially”
and “possibly” above to pass my point.. this is just one possible
scenario and i believe we need to start getting prepared to better
defending the internet as an international infrastructure rather than on an the isp level, locally.

gadi evron,

  • Richard Karpinski

    Why not put such discussion on a Wiki?

    I think that cooperating routers can use their spare cycles to filter packets which look evil. Such filtering can be used to operate a real-time-black-list service or just to suppress the ones it finds.

  • sunshine

    A WiKi is an interesting idea, however – on whatever mailing list and forum I tried I never got much response.

    I am now moving to collecting people who are interested in this and contacted me in private and forming a sort of a closed working group to come up with solutions to these and other problems relating to this issue.

  • awol

    why not have the worms propagate and report home until all infectable routers have been hit then launch the attack tie this in with a big botnet of widoz boxes to help propagate it and you have a disaster

  • sunshine

    Exactly. Point is not to show more easy ways of possibly acomplishing the “death of the Internet” but to find solutions to raise the bar of it not being that easy, potentially.

  • Pingback: SecuriTeam Blogs » Payback for Ciscogate - new trend?

  • Pingback: SecuriTeam Blogs » This Patch Tuesday - Worm Worthy (non-critical vulnerabilities especially)