On a side note, I've been involved with organizing the New England regional Collegiate Cyber-Defense Competition for a while, and one our "Red Team" members was able to make a pretty convincing IOS rootkit using IOS TCL scripting to mask configuration from the students. I don't think any students were able to detect it until word got out after it was used a few years in a row. IIRC, Cisco threatened to sue if it was ever released, so no it's not publicly available. It is possible, however.
Don't assume that your routers are any safer than your servers. :-) On Mon, Dec 30, 2013 at 1:35 PM, shawn wilson <ag4ve...@gmail.com> wrote: > On Mon, Dec 30, 2013 at 1:17 PM, Lorell Hathcock <lor...@hathcock.org> > wrote: > > NANOG: > > > > Here's the really scary question for me. > > > > Would it be possible for NSA-payload traffic that originates on our > private > > networks that is destined for the NSA to go undetected by our IDS > systems? > > > > Yup. Absolutely. Without a doubt. > > > For example tcpdump-based IDS systems like Snort has been rooted to > ignore > > or not report packets going back to the NSA? Or netflow on Cisco devices > > not reporting NSA traffic? Or interface traffic counters discarding > > NSA-packets to report that there is no usage on the interface when in > fact > > there is? > > > > Do you detect 100% of malware in your IDS? Why would anyone need to do > anything with your IDS? Craft a PDF, DOC, Java, Flash, or anything > else that can run code that people download all the time with payload > of unknown signature. This isn't really a network discussion. This is > just to say - I seriously doubt there's anything wrong with your IDS - > don't skin a cat with a flame thrower, it just doesn't need to be that > hard. > > > Here's another question. What traffic do we look for on our networks > that > > would be going to the NSA? > > > > Standard https on port 443 maybe? That's how I'd send it. If you need > to send something bigger than normal, maybe compromise the email > server and have a few people send off some 5 - 10 meg messages? > Depends on your normal user base. If you've got a big, complex user > base, it's not hard to stay under the radar. Google 'Mandiant APT1' > for some real good reading. > > -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net