On 16 Sep 2015, at 21:00, Michael Douglas wrote:
It's unlikely the routers that got exploited were the initial entry
point of the attack.
I understand all that, thanks.
At this point when they start messing around with routers, you're
going to
see activity coming from the intended internal management range using
legit
credentials.
It would still be quite difficult, and readily detected if accomplished,
had BCPs such as AAA, per-command auth, per-command logging, and
monitoring of same been implemented. Plus, iACLs would prevent C&C
comms, and monitoring of all traffic to/from router interfaces would
potentially pick that up, as well.
-----------------------------------
Roland Dobbins <rdobb...@arbor.net>
