2 research outputs found
Mecanismos para mitigar riesgos generados por la intrusión en Routers de frontera basados en resultados de un Honeypot Virtual.
En la presente investigación se implementaron mecanismos para mitigar riesgos generados por
la intrusión en Routers de frontera basados en resultados de un Honeypot Virtual. Se analizaron
las principales vulnerabilidades y amenazas encontradas comúnmente en ambientes de red
WAN, donde el dispositivo con mayor riesgo generado es el Router de Frontera o de Borde,
específicamente en su protocolo SNMP. Para la construcción de la solución planteada, se
analizó la Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información PAe -
MAGERIT v.3, el paper de la revista científica IEEE Honeypot Router for routing protocols
protection y el libro Honeypots tracking hackers, también se consideraron algunas
recomendaciones de estándares y normas de seguridad en ambientes WAN. La solución llamada
HONEYPOT-ROUTER-SNMP está enfocada en ataques como DDos, Rastreo de Puertos y
Ataques de Fuerza Bruta, los cuales amenazan en gran porcentaje al impacto generado por el
riesgo de seguridad del protocolo SNMP en sus 3 versiones; y consta de 2 componentes que son
1) Infraestructuras de solución (con 2 etapas a) Estudio y detección de vulnerabilidades y
ataques, b) Aplicar la protección y medidas de seguridad) y 2) Mecanismos de Prevención (con
los cuales se completan los pasos para la detección y prevención de amenazas). Mediante la
solución propuesta se logró minimizar en un 95% las vulnerabilidades y riesgos que afectaban
al buen funcionamiento del Router de Borde, con lo cual, se aumentó notablemente su
disponibilidad y confiabilidad. Se recomienda la implementación de una solución de
Administración de Correlación de Eventos después del IPS donde se emitirán alertas, las cuales
deberán ser revisadas por el ente de seguridad designado por la organización.In the present investigation, the mechanisms to mitigate the risks generated by the intrusion in
routers based on the results of a Virtual HoneyPot were implemented. The main vulnerabilities
and threats were found commonly within network environments WAN, where the device with a
bigger generated risk is the edge router, in its protocol SNMP specifically. For the construction
of the planned solution, the Methodology of Analysis and the Risk Management of the
Information Systems PAe-MAGERIT v.3 were analyzed, the scientific journal IEEE:
“Honeypot Router for routing Protocol protection” and the book “Honeypots Tracking
Hackers”. In addition, some standard recommendations and safety norms in environments
WAN. The solution called HONEYPOT-ROUTER-SNMP is focused on attacks such as: DDos,
Tracking of Ports, and Brute Force Attacks, which threat in a big percentage the impact
generated by the risk of safety SNMP within its three versions, and consists of two components
which are: 1) Infrastructures of solution (with two stages: a) Study and Detection of
vulnerabilities and attacks and b) Apply the protection and safety measurements); and 2)
Prevention Mechanisms (with which the steps are completed to detect and prevent threats). By
using the solution of functioning of the edge router, with which, its availability and trustworthy
increased, notoriously. It is recommended the implementing of a solution of Management of
Event Correlation after the IPS, where the alerts will be emitted, which should be verified and in
consequence designated by the organization
Characterising attacks targeting low-cost routers: a MikroTik case study (Extended)
Attacks targeting network infrastructure devices pose a threat to the
security of the internet. An attack targeting such devices can affect an entire
autonomous system. In recent years, malware such as VPNFilter, Navidade, and
SonarDNS has been used to compromise low-cost routers and commit all sorts of
cybercrimes from DDoS attacks to ransomware deployments. Routers of the type
concerned are used both to provide last-mile access for home users and to
manage interdomain routing (BGP). MikroTik is a particular brand of low-cost
router. In our previous research, we found more than 4 million MikroTik routers
available on the internet. We have shown that these devices are also popular in
Internet Exchange infrastructures. Despite their popularity, these devices are
known to have numerous vulnerabilities. In this paper, we extend our previous
analysis by presenting a long-term investigation of MikroTik-targeted attacks.
By using a highly interactive honeypot that we developed, we collected more
than 44 million packets over 120 days, from sensors deployed in Australia,
Brazil, China, India, the Netherlands, and the United States. The incoming
traffic was classified on the basis of Common Vulnerabilities and Exposures to
detect attacks targeting MikroTik devices. That enabled us to identify a wide
range of activities on the system, such as cryptocurrency mining, DNS server
redirection, and more than 3,000 successfully established tunnels used for
eavesdropping. Although this research focuses on Mikrotik devices, both the
methodology and the publicly available scripts can be easily applied to any
other type of network device