This document discusses router forensics and security. It provides an overview of routers and common router attacks. It outlines the process of performing router forensics, including collecting volatile data, investigating incidents, and documenting findings. The document also discusses why router resources need protection and why router forensics is important for addressing security issues, monitoring activity, and regulatory compliance.

1. TARUNA SINGH
1208213035

2. AGENDA
 Introduction
 Overview of Routers
 Router Attack Topology
 Common Router Attacks
 Performing Forensics
 Incidence Investigation
 Accessing the Router
 Documentation
 What are the “BAD GUYS” doing
 What are the “GOOD GUYS” doing
 Why do we need to protect Router Resources
 Why do we need outer Forensics

3. INTRODUCTION
It is the application of proven
scientific methods and techniques
in order to recover data from
routers in case of an intruder attack
and apply forensics( law
enforcement, documentation of the
incidence) .

4. WHAT IS ROUTER?
A computer that specializes in sending
packets over the data network. They are
responsible for interconnecting n/w by
selecting the best
path for a packet
to travel to their
destinations.

5. HOW DOES ROUTER WORK
Routers forward data packets from one
router to another using various routing
protocols and routing table, to choose the
optimum path.
The routing table
may contain
various fields.

6. COMMUNICATION WITH ROUTERS
 Through local cable
 Through
modem
 Through
terminal
emulation
software

7. ROUTER COMPONENTS
 ROM
 POST
 IOS
 RAM
 Flash memory
 NVRAM

8. PORTS ON ROUTER
 LAN Ports
 WAN Ports
 Administrative ports
-Console ports
-Auxiliary ports

9. MODES OF ROUTER
 Setup Mode
 User Mode
 Privileged Mode
 Global Configuration Mode
 Interface Mode

10. ROUTER ATTACK TOPOLOGY
Reconnaissance
Scanning and enumeration
Gaining access
Escalation of privilege
Maintaining access
Covering tracks and placing
backdoors

11. COMMON ROUTER ATTACKS
Denial of Service Attacks
Packet Mistreating Attacks
Routing Table Poisoning
Hit and Run Attacks
Persistent Attacks

12. PERFORMING FORENSICS
Collection
Examination
Analysis
Reporting

13. GATHER VOLATILE ROUTER DATA
Connect to console port for this need cable
and laptop with terminal emulation software.
Record System Time and determine who is
logged on
Save the router configuration.
Review the routing table to detect malicious
static routes modified by attacker.
View the ARP cache for evidence for IP or MAC
spoofing

14. INCIDENCE INVESTIGATION
Direct compromise: via physical access,
listening services, password guessing by TFTP,
console access
Routing table manipulations: by
modifying routing protocols( RIP, IGRP), review
routing table with “show IP route”
Theft of Information: via access control
and network topology
DoS: resource and bandwidth consumption
reduces functionality and n/w bandwidth

15. Contd...
FOR RECOVERY:
Eliminate listening services
Upgrade of software
Access restriction
Authentication
Change all passwords
Avoid password reuse
Remove static routing entries

16. ACCESSING THE ROUTER
DO
 Access the router
through the console
 Record your entire
console session
 Run show commands
 Record the actual
time and the router’s
time
 Record the volatile
information
DON’T
 REBOOT THE
ROUTER
 Access the router
through the
network
 Run configuration
commands
 Rely only on
persistent
information

17. DOCUMENTATION
 Chain of Custody: to prove the integrity
of the evidence
 Case reports: employee remediation,
employee termination ,civil proceedings,
criminal prosecution, case Summary,
bookmarks
 Incident response: it is the effort of an
organisation to define and document the
nature and scope of a computer security
incident.

18. WHAT THE “BAD GUYS” ARE DOING
Internet Router Protocol Attack Suite
(IRPAS): A suite of tools designed to abuse
inherent design insecurity in routers and routing
protocols –Tools: ass, igrp, hsrp
VIPPR: Can be used to establish MITM for
compromised routers
UltimaRatio: Working exploit tool for use
against 1000, 1600/1700 and 2600 series routers
Research

19. WHAT THE GOOD GUYS ARE
DOING
Router Audit Tool (RAT): Written in Perl,
highly customizable, Passive tool to analyze a
Cisco router, Scores the overall security of your
router, Support for Unix and Windows systems
Books, white papers on securing routers
Employ strong authentication: encrypted
traffic mgmt, two phase authentication,
centralised authentication source.

20. WHY WE NEED TO PROTECT
ROUTER RESOURCES
Often the “heart” of the network
Gaining a lot more attention from attackers
Few procedures on hardening routers
Routers are much slower to get upgraded to
solve security bugs
Few people monitor their configurations
regularly
Few security measures in place
There are millions of them

21. NEED FOR ROUTER FORENSICS
Operational Troubleshooting
Log Monitoring
Data Recovery
Data Acquisition
Due Diligence/Regulatory compliance