By network, here I mean routers,switches, firewalls, etc. -- , to the exclusion of nodes like servers and PCs which are usually attacked in different ways. Routers, switches and their like are still susceptible to rootkits and other attacks that plant malicious software/firmware, but they're not prone to it to the same degree as Windows,Linux- or OS X-based systems. More common attacks target protocols and result in black holes, fill up your switch's FDB so it can't learn new MAC addresses, or attempt to deny service by using up all your bandwidth.
Another note is that the order in which you perform the tasks below may vary greatly by the nature of your organization. For instance, at one business, your primary concern may be restoring connectivity as fast as possible, while another business may be highly regulated and more tolerant of outages, and thus willing to take the time to do some forensic work.
- 1. Preserve the logs: In almost every case, you'll want to make an attempt to preserve the logs from your devices. If you want them for evidence, you'll need to take a few extra steps that are beyond the scope of this tip.
2. Notify the proper authorities: Depending on the nature of the attack, you'll want to notify some folks. Depending on your organization, this may be a security manager or an IT executive. You may also want to notify authorities such as the police or FBI. You may need to notify your ISP or carrier. And you may need to notify your customers, particularly if their networks were exposed to attack via your network. You do have daytime and after-hours contact information for all these people, right?
3. Check your infrastructure for compromise: If the nature of the attack was not a DoS but, let's say, a server administrator discovered a rootkit on several PCs that were using a peer-to-peer file-sharing program, or your Intrusion Detection System informs you that the attacks are coming from one of your routers, then you want to check your routers and switches to make sure they weren't compromised. The simple way is to verify that the software images' checksums still match those listed by your vendor.
4. Restore your configuration: If you want to make absolutely sure you're OK, reload the software images and restore the devices to their factory default configs and then reload your configs from backups. You do have backups of all your configs, right?
An extra tip: While most administrators keep their device configs in a configuration management tool on the network, a network disruption might prevent you from accessing them just when you need them most. It's a good idea to keep a copy of all the configs on a flash drive or CD in case you have to restore over the console cable, but you definitely have to exercise some common-sense physical security there. You don't want those to fall into the wrong hands, as it could be pretty easy to crack the password hashes found in many config files.
5. Steps to shield from attacks: If the nature of the attack is a DoS, then the way you stop the attack can vary widely. It's also entirely possible that you simply can't stop the attack from occurring, as companies with extreme budgets like Microsoft and the Federal Government get service denial attacks all the time. But you should be prepared to take the usual steps, such as manually implementing shunning on your firewall, or applying some temporary ACLs to your screening routers, or just shutting down the ports of offending internal machines. Alternately, you can configure an Intrusion Prevention System to do these things automatically.
As always, the key theme you should have noticed above is preparation. Like insurance, it's annoying, but occasionally pays off big.
About the Author: Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide, published by Sybex.
This tip originally appeared on SearchNetworking.com. This was first published in May 2006
This was first published in May 2006