Mecanismos para mitigar riesgos generados por la intrusión en Routers de frontera basados en resultados de un Honeypot Virtual.

En la presente investigación se implementaron mecanismos para mitigar riesgos generados por la intrusión en Routers de frontera basados en resultados de un Honeypot Virtual. Se analizaron las principales vulnerabilidades y amenazas encontradas comúnmente en ambientes de red WAN, donde el dispositivo con mayor riesgo generado es el Router de Frontera o de Borde, específicamente en su protocolo SNMP. Para la construcción de la solución planteada, se analizó la Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información PAe - MAGERIT v.3, el paper de la revista científica IEEE Honeypot Router for routing protocols protection y el libro Honeypots tracking hackers, también se consideraron algunas recomendaciones de estándares y normas de seguridad en ambientes WAN. La solución llamada HONEYPOT-ROUTER-SNMP está enfocada en ataques como DDos, Rastreo de Puertos y Ataques de Fuerza Bruta, los cuales amenazan en gran porcentaje al impacto generado por el riesgo de seguridad del protocolo SNMP en sus 3 versiones; y consta de 2 componentes que son 1) Infraestructuras de solución (con 2 etapas a) Estudio y detección de vulnerabilidades y ataques, b) Aplicar la protección y medidas de seguridad) y 2) Mecanismos de Prevención (con los cuales se completan los pasos para la detección y prevención de amenazas). Mediante la solución propuesta se logró minimizar en un 95% las vulnerabilidades y riesgos que afectaban al buen funcionamiento del Router de Borde, con lo cual, se aumentó notablemente su disponibilidad y confiabilidad. Se recomienda la implementación de una solución de Administración de Correlación de Eventos después del IPS donde se emitirán alertas, las cuales deberán ser revisadas por el ente de seguridad designado por la organización.In the present investigation, the mechanisms to mitigate the risks generated by the intrusion in routers based on the results of a Virtual HoneyPot were implemented. The main vulnerabilities and threats were found commonly within network environments WAN, where the device with a bigger generated risk is the edge router, in its protocol SNMP specifically. For the construction of the planned solution, the Methodology of Analysis and the Risk Management of the Information Systems PAe-MAGERIT v.3 were analyzed, the scientific journal IEEE: “Honeypot Router for routing Protocol protection” and the book “Honeypots Tracking Hackers”. In addition, some standard recommendations and safety norms in environments WAN. The solution called HONEYPOT-ROUTER-SNMP is focused on attacks such as: DDos, Tracking of Ports, and Brute Force Attacks, which threat in a big percentage the impact generated by the risk of safety SNMP within its three versions, and consists of two components which are: 1) Infrastructures of solution (with two stages: a) Study and Detection of vulnerabilities and attacks and b) Apply the protection and safety measurements); and 2) Prevention Mechanisms (with which the steps are completed to detect and prevent threats). By using the solution of functioning of the edge router, with which, its availability and trustworthy increased, notoriously. It is recommended the implementing of a solution of Management of Event Correlation after the IPS, where the alerts will be emitted, which should be verified and in consequence designated by the organization

Characterising attacks targeting low-cost routers: a MikroTik case study (Extended)

Attacks targeting network infrastructure devices pose a threat to the security of the internet. An attack targeting such devices can affect an entire autonomous system. In recent years, malware such as VPNFilter, Navidade, and SonarDNS has been used to compromise low-cost routers and commit all sorts of cybercrimes from DDoS attacks to ransomware deployments. Routers of the type concerned are used both to provide last-mile access for home users and to manage interdomain routing (BGP). MikroTik is a particular brand of low-cost router. In our previous research, we found more than 4 million MikroTik routers available on the internet. We have shown that these devices are also popular in Internet Exchange infrastructures. Despite their popularity, these devices are known to have numerous vulnerabilities. In this paper, we extend our previous analysis by presenting a long-term investigation of MikroTik-targeted attacks. By using a highly interactive honeypot that we developed, we collected more than 44 million packets over 120 days, from sensors deployed in Australia, Brazil, China, India, the Netherlands, and the United States. The incoming traffic was classified on the basis of Common Vulnerabilities and Exposures to detect attacks targeting MikroTik devices. That enabled us to identify a wide range of activities on the system, such as cryptocurrency mining, DNS server redirection, and more than 3,000 successfully established tunnels used for eavesdropping. Although this research focuses on Mikrotik devices, both the methodology and the publicly available scripts can be easily applied to any other type of network device