John Dodrill's BLOG

Disabling The Wireless Link on Cisco 860/880 Access Point

John Dodrill — Wed, 22 Feb 2012 21:54:00 GMT

router# service-module wlan-ap 0 session
Trying XXX.XXX.XXX.XXX 2002...Open
<another carraige return>
username: <username>
Password: <password>
ap# config terminal
ap (config)# interface bvi1
ap (config-if)# shutdown
ap (config-if)# end
ap# logout

Some techs, like myself, are using the Cisco 860 880 Wireless access point as a proving grounds for Cisco IOS, owing to it's sub $1,000 price tag.

I personally tend to forget that there is are separate rules for the BVI 1 and Gigabitethernet 0 interfaces than there are for the WAN interface Fastethernet 4. As a result, a hacker was apparently able to access the router, possibly using Kismet, wireless PCAP, Aircrack or such similar software. (These are popular amongst the newly and tragically certified.)

The erroneous assumption that I made was that the hacker was coming in through the Internet, had used loose source routing to tunnel through two other consumer routers (that's how ineffective they are), and was attempting access to some of the inner most firewalls.

That was a fairly egregious assumption, but it was based on a statement made by Cisco that "the wireless device radios are disabled by default".

Nonetheless, the access point (ap) was accessed, the running configuration replaced with the default configuration, and that appears to be the source of the below attack, instead of the attack originating over the Internet. if that's true, this hacker is a no-talent, all-software kind of hacker who was already behind the firewall, owing to an oversight on my part.

One hacker says that it is possible to log into the access point, via the Internet, using a service account. That sounds reasonable, since service accounts are included in Cisco Access Control Lists (ACL) but Cisco says "No": essentialy that can't happen. Well, really, what did I expect them to say? I overheard that same hacker saying that "For the most part, all [he does] is VPN into [whatever] device". Sadly, he's right. The firewall barely made note of it, when I tried to access my own network from the WAN side.

Anyway, I couldn't find anything on the Internet about shutting down the wireless interface, possibly because it was so obvious. It's just when no one mentioned anything about it on the Internet, it seemed to me that perhaps it either wasn't possible or wasn't necessary, in light of Cisco's statement and in light of CP Light which simply indicates that the AP doesn't have an IP and isn't configured.

As bad as it would be to come to the realization that the "bad guys" are within 1000m of my wireless device, I'm still hoping that this resolves the problem (see firewall reports below). This (and a related problem) actually took about eight hours out of my day. That's eight hours that I didn't really have to spare.

On a positive note, I have a friend-of-a-friend in the FCC who tracks these people down by profession. He's really quite adept. If I can track this hacker down, I want to be compensated for my lost time and the effect this has had on my career.

Inner firewall (three firewalls deep) reports:

000051: Feb 22 03:43:01.679 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52735) -> 81.18.240.138(80), 1 packet
000052: Feb 22 03:43:32.347 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(52735), 1 packet
000053: Feb 22 03:43:40.607 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52756) -> 81.18.240.138(80), 1 packet
000054: Feb 22 03:43:57.255 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52763) -> 81.18.240.138(80), 1 packet
000055: Feb 22 03:44:11.259 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(52756), 1 packet
000056: Feb 22 03:44:18.303 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52769) -> 81.18.240.138(80), 1 packet
000057: Feb 22 03:44:27.755 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(52763), 1 packet
000058: Feb 22 03:44:48.747 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(52769), 1 packet
000059: Feb 22 03:46:03.143 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52797) -> 81.18.240.138(80), 1 packet
000060: Feb 22 03:46:33.195 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(52797), 1 packet
000061: Feb 22 03:48:09.391 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52735) -> 81.18.240.138(80), 3 packets
000062: Feb 22 03:49:09.391 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52756) -> 81.18.240.138(80), 3 packets
000063: Feb 22 03:49:09.391 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52763) -> 81.18.240.138(80), 3 packets
000064: Feb 22 03:49:12.439 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52904) -> 81.18.240.138(80), 1 packet
000065: Feb 22 03:49:42.771 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(52904), 1 packet
000066: Feb 22 03:50:09.391 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52769) -> 81.18.240.138(80), 3 packets
000067: Feb 22 03:51:09.391 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52797) -> 81.18.240.138(80), 3 packets
000068: Feb 22 03:53:29.411 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52918) -> 81.18.240.138(80), 1 packet
000069: Feb 22 03:53:59.907 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(52918), 1 packet
000070: Feb 22 03:55:09.391 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52904) -> 81.18.240.138(80), 3 packets
000071: Feb 22 03:56:18.599 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52942) -> 81.18.240.138(80), 1 packet
000072: Feb 22 03:56:38.683 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52962) -> 81.18.240.138(80), 1 packet
000073: Feb 22 03:56:49.419 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(52942), 1 packet
000074: Feb 22 03:57:09.395 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(52962), 1 packet
000075: Feb 22 03:57:20.655 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(52981), 1 packet
000076: Feb 22 03:58:59.463 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53006) -> 81.18.240.138(80), 1 packet
000077: Feb 22 03:59:09.391 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52918) -> 81.18.240.138(80), 3 packets
000078: Feb 22 03:59:30.195 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53006), 1 packet
000079: Feb 22 04:00:43.579 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53031) -> 81.18.240.138(80), 1 packet
000080: Feb 22 04:01:14.163 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53031), 1 packet
000081: Feb 22 04:02:09.391 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52981) -> 81.18.240.138(80), 4 packets
000082: Feb 22 04:02:09.391 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52942) -> 81.18.240.138(80), 3 packets
000083: Feb 22 04:02:09.391 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(52962) -> 81.18.240.138(80), 3 packets
000084: Feb 22 04:02:16.007 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53055) -> 81.18.240.138(80), 1 packet
000085: Feb 22 04:02:42.931 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53076) -> 81.18.240.138(80), 1 packet
000086: Feb 22 04:02:46.835 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53055), 1 packet
000087: Feb 22 04:03:13.459 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53076), 1 packet
000088: Feb 22 04:03:26.875 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53091) -> 81.18.240.138(80), 1 packet
000089: Feb 22 04:03:57.491 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53091), 1 packet
000090: Feb 22 04:04:09.391 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53006) -> 81.18.240.138(80), 3 packets
000091: Feb 22 04:04:36.695 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53108) -> 81.18.240.138(80), 1 packet
000092: Feb 22 04:04:59.599 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53120) -> 81.18.240.138(80), 1 packet
000093: Feb 22 04:05:07.131 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53108), 1 packet
000094: Feb 22 04:05:24.267 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53126) -> 81.18.240.138(80), 1 packet
000095: Feb 22 04:05:30.195 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53120), 1 packet
000096: Feb 22 04:05:40.343 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53130) -> 81.18.240.138(80), 1 packet
000097: Feb 22 04:05:45.291 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53132) -> 81.18.240.138(80), 1 packet
000098: Feb 22 04:05:54.771 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53126), 1 packet
000099: Feb 22 04:06:09.391 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53031) -> 81.18.240.138(80), 3 packets
000100: Feb 22 04:06:11.155 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53130), 1 packet
000101: Feb 22 04:06:15.763 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53132), 1 packet
000102: Feb 22 04:06:24.111 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53136) -> 81.18.240.138(80), 1 packet
000103: Feb 22 04:06:39.995 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53142) -> 81.18.240.138(80), 1 packet
000104: Feb 22 04:06:54.031 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53146) -> 81.18.240.138(80), 1 packet
000105: Feb 22 04:07:05.091 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53157) -> 81.18.240.138(80), 1 packet
000106: Feb 22 04:07:09.391 PCTime: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 6 packets
000107: Feb 22 04:07:10.547 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53142), 1 packet
000108: Feb 22 04:07:15.067 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53166) -> 81.18.240.138(80), 1 packet
000109: Feb 22 04:07:16.727 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53169) -> 81.18.240.138(80), 1 packet
000110: Feb 22 04:07:24.883 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53146), 1 packet
000111: Feb 22 04:07:30.239 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53173) -> 81.18.240.138(80), 1 packet
000112: Feb 22 04:07:35.635 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53157), 1 packet
000113: Feb 22 04:07:45.875 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53166), 1 packet
000114: Feb 22 04:07:47.411 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53169), 1 packet
000115: Feb 22 04:07:59.519 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53182) -> 81.18.240.138(80), 1 packet
000116: Feb 22 04:08:00.723 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53173), 1 packet
000117: Feb 22 04:08:09.391 PCTime: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 15 packets
000118: Feb 22 04:08:20.555 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53187) -> 81.18.240.138(80), 1 packet
000119: Feb 22 04:08:29.907 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53182), 1 packet
000120: Feb 22 04:08:35.247 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53189) -> 81.18.240.138(80), 1 packet
000121: Feb 22 04:08:51.411 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53187), 1 packet
000122: Feb 22 04:09:00.651 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53199) -> 81.18.240.138(80), 1 packet
000123: Feb 22 04:09:05.747 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53189), 1 packet
000124: Feb 22 04:09:09.391 PCTime: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 10 packets
000125: Feb 22 04:09:31.363 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53199), 1 packet
000126: Feb 22 04:10:08.847 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp YYY.YYY.YYY.YYY(53213) -> 81.18.240.138(80), 1 packet
000127: Feb 22 04:10:09.391 PCTime: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 3 packets
000128: Feb 22 04:10:39.483 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 81.18.240.138(80) -> YYY.YYY.YYY.YYY(53213), 1 packet
000129: Feb 22 04:11:09.391 PCTime: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 1 packet

Inner-inner Firewall reports:

4:13:13 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53213   RST   Blocked by the Attack Detecton component
4:12:01 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53199   RST   Blocked by the Attack Detecton component
4:11:47 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53189   RST   Blocked by the Attack Detecton component
4:11:32 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53187   RST   Blocked by the Attack Detecton component
4:11:03 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53182   RST   Blocked by the Attack Detecton component
4:10:35 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53173   RST   Blocked by the Attack Detecton component
4:10:20 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53169   RST   Blocked by the Attack Detecton component
4:10:20 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53166   RST   Blocked by the Attack Detecton component
4:10:06 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53146   RST   Blocked by the Attack Detecton component
4:10:06 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53157   RST   Blocked by the Attack Detecton component
4:09:51 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53142   RST   Blocked by the Attack Detecton component
4:09:37 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53136   RST   Blocked by the Attack Detecton component
4:08:54 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53130   RST   Blocked by the Attack Detecton component
4:08:54 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53132   RST   Blocked by the Attack Detecton component
4:08:25 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53126   RST   Blocked by the Attack Detecton component
4:08:11 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53120   RST   Blocked by the Attack Detecton component
4:07:42 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53108   RST   Blocked by the Attack Detecton component
4:06:30 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53091   RST   Blocked by the Attack Detecton component
4:05:47 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53076   RST   Blocked by the Attack Detecton component
4:05:18 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53055   RST   Blocked by the Attack Detecton component
4:03:51 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53031   RST   Blocked by the Attack Detecton component
4:02:10 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   53006   RST   Blocked by the Attack Detecton component
4:00:01 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   52981   RST   Blocked by the Attack Detecton component
3:59:46 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   52962   RST   Blocked by the Attack Detecton component
3:59:32 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   52942   RST   Blocked by the Attack Detecton component
3:56:39 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   52918   RST   Blocked by the Attack Detecton component
3:52:20 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   52904   RST   Blocked by the Attack Detecton component
3:49:13 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   52797   RST   Blocked by the Attack Detecton component
3:47:32 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   52769   RST   Blocked by the Attack Detecton component
3:47:03 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   52763   RST   Blocked by the Attack Detecton component
3:46:49 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   52756   RST   Blocked by the Attack Detecton component
3:46:06 AM   Block   IN   TCP   81.18.240.138   80   ZZZ.ZZZ.ZZZ.ZZZ   52735   RST   Blocked by the Attack Detecton component

Intruder 202.176.209.3, of SingTel, Singapore, Uses DNS To Map LAN

John Dodrill — Tue, 21 Feb 2012 18:20:30 GMT

Bear in mind, when reading this, that there is absolutely no other traffic on this LN. The LAN is effectively in honey pot mode.

202.176.209.3 seems to be using DNS to map the network. I've seen this before where the attacker floods the outer router with unsolicited DNS replies, uses an ARP attack (Man-in-the-Middle) to block access to the ISP's DNS name servers or otherwise crashes the DNS relay. When an inner Router realizes it has no ability to make DNS requests via DNS relay, it is referred by the next router on the outbound side to it's DNS providers...and the hacker outside watching notes the new requesters IP.

Then, it seems, after tunneling past two other routers, the intruder attempts to obtain a local IP address on a 4th router, via DHCP, and fails. Undaunted, the hacker reattempts the attack 4 hours later, and then again in less than two hours. (The IP is again attacking, attempting to interject packets but just unable to get the sequence right. Too bad 202.176.209.3. As a hacker, you suck!)

Word!

Tue, 2012-02-21 03:35:40 - [DNS lookup failed, force renew!]
Tue, 2012-02-21 03:35:50 - UDP packet - Source: XXX.XXX.XXX.XXX - Destination: YYY.YYY.YYY.YYY - [Access Policy not found, dropping packet Src 67 Dst 68 from WAN]
Tue, 2012-02-21 03:35:53 - UDP packet - Source: XXX.XXX.XXX.XXX - Destination: YYY.YYY.YYY.YYY - [Access Policy not found, dropping packet Src 67 Dst 68 from WAN]

000096: Feb 21 03:35:54.387 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> YYY.YYY.YYY.YYY (11/0), 1 packet

Tue, 2012-02-21 03:35:54 - [Send out NTP Request to 216.245.57.38]
Tue, 2012-02-21 03:36:09 - [NTP Reply Invalid]
Tue, 2012-02-21 03:37:14 - [Send out NTP Request to 209.249.181.21]
Tue, 2012-02-21 03:37:15 - [Receive NTP Reply from 209.249.181.21]

000097: Feb 21 03:40:54.387 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> YYY.YYY.YYY.YYY (11/0), 2 packets

Tue, 2012-02-21 07:30:54 - [DNS lookup failed, force renew!]
Tue, 2012-02-21 07:31:04 - UDP packet - Source: XXX.XXX.XXX.XXX - Destination: XXX.XXX.XXX.XXX45 - [Access Policy not found, dropping packet Src 67 Dst 68 from WAN]
Tue, 2012-02-21 07:31:07 - UDP packet - Source: XXX.XXX.XXX.XXX - Destination: XXX.XXX.XXX.XXX45 - [Access Policy not found, dropping packet Src 67 Dst 68 from WAN]
Tue, 2012-02-21 07:31:08 - [Send out NTP Request to 216.245.57.38]
Tue, 2012-02-21 07:31:23 - [NTP Reply Invalid]

000098: Feb 21 07:31:54.386 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> YYY.YYY.YYY.YYY (11/0), 3 packets

Tue, 2012-02-21 07:32:28 - [Send out NTP Request to 209.249.181.21]
Tue, 2012-02-21 07:32:29 - [Receive NTP Reply from 209.249.181.21]

000099: Feb 21 09:12:54.386 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> YYY.YYY.YYY.YYY (11/0), 3 packets

Sender Policy Framework: Protect Your Domain Reputation From SPAM

John Dodrill — Sat, 18 Feb 2012 12:07:19 GMT

One of the more correct responses to hackers (computer people) devaluating your assigned IP's, your domain names and your email addresses, by sending SPAM in your name, is called Sender Policy Framework (RFC 4408). http://OpenSPF.org is the most commonly cited authority on the subject, however when their Web site is under attack or otherwise unavailable, there is also http://OpenSPF.net, which seems to be a mirror site.

Sender Policy Framework (SPF) is simply a TXT and / or SPF record that you put in your domain and Web server's Domain Name System (DNS). If you have a hosting company handle that for you, they'll likely do it on request, hopefully without charge.

There have been "Wizard's" on the Web, that have come and gone, to help you with the syntax and implementation of SPF. My favorite de jour is (oddly) from Microsoft. The wizard will help you with the syntax of the TXT and / or SPF record for your DNS (intended to support RFC 2822 and / or RFC 2821). Whether you implement SPF yourself or you have your hosting company implement if for you, you can and should test the code, on a domain-by-domain basis from another wizard on the Web, to insure it is at least implemented correctly.

It seems odd that I would choose Microsoft to support SPF, in light of their competing Sender ID. I think it's because the DNS record syntax's are much the same. In example, the SPF code I might chose and that provided by Microsoft's robot seem to differ in approach, more than syntax:

cPanel approach: "

v=spf1 a mx ip4:XXX.XXX.XXX.XXX ip4:YYY.YYY.YYY.YYY -all

"

Microsoft's approach: "v=spf1 ip4:YYY.YYY.YYY.YYY -all"

cPanel's version (above) says mail can only be sent from the domain's mail server or from the domain server itself, assuming the IP's are not the same. Microsoft's version (above -- depending on the data you put into the wizard) says email may only be sent from the domain server.

The record is inserted into your DNS, as one example:

exampledomain.com IN TXT "v=spf1 ip4:YYY.YYY.YYY.YYY -all"
exampledomain.com IN SPF "v=spf1 ip4:YYY.YYY.YYY.YYY -all"

The SPF and TXT records have the same content. According the the SPF Testing Tools site, "SPF records should also be published in DNS as type SPF records". That said, cPanel and Web Host Manager don't support "SPF" type DNS records natively, so those users will have to be content with having SPF implemented in a TXT record.

Email was the 3rd attack on my Web presence. SPF, together with a secure certificate on the mail server, seems to have handled the SPAM forging problem in large part. There are other choices that can be made on your mail server which restrict Simple Mail Transport Protocol (SMTP) mailings to those senders that can authenticate their domain and/or IP address, including Domain Keys (DKIM). Thereby, Simple Authentication and Security Layer (SASL) become's an unnecessary option (unless a secure certificate is not an option, as in the case of shared hosting).

The 1st type of attack on my Web presence began while attending a local computer certification school, having been exposed to more job competitiveness, I found my Web site under constant attack. No big deal, as the hackers found out: I can bring the Web site up faster than they can take it down, so they turned to attacking my Internet connection. That had been an off-and-on thing that was a major impediment to my getting more certifications, as some of the mandatory training is on the Web.

I resolved the majority of the 2nd type of Web attacks by writing a script in Cisco IOS for a Cisco 860/880 firewall (OK, security device for you Cisco sticklers). The consumer routers weren't even seeing the hackers as they blew past those appliances. (Those other routers had been marketed as firewalls and were by no means inexpensive.) The script continues to mature as I understand more about the nature of the problem. That router (along with a Windows script) has afforded me the possibility of getting back on the Web without some hacker taking my computers or network apart. (I muse as who whom actually employs these hacker people, who are obviously computer people, and sees fit to allow them behind their company's firewall....)

My solution for Denial of Service Attacks may be to simply take the Road Runner modem back to Time Warner....

One of the most recent attacks seems to be a Denial of Service Attack. According to Carnegie Mellon University's Computer Emergency Response Team (CERT -- now part of the Department of Homeland Security): "Unfortunately, there are no effective ways to prevent being the victim of a DoS or DDoS attack". It's a stand-off. I can't get data out or in past my Road Runner modem, and those out in Road-Runner-land can't get data in past my Cisco firewall. My solution for Denial of Service Attacks may be to simply take the Road Runner modem back to Time Warner and have them seek other customers who are willing to pay by the month for Internet access that only works intermittently.

Typical connection:

"Denial of service" attack:

(Thanks to news.cnet.com/2100-1017-236728.html for the images.)

You don't want your only Internet service provider to be Road Runner, as I recently found out. Apparently someone used a Man-in-the-Middle ARP attack to access some of my email accounts, change the password, and delete offers from potential employers. (I have to wonder how many they deleted before an employer finally called to see if I had received their email.)

I have found ARP protection software for Linux / Unix (Slackware, in my case), to protect against Man-in-the-Middle attacks, but haven't tested any for Windows, so far. More about ARP and DDOS attacks later.