This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
143
Appendix Cradius
APPENDIX C
Incident Response
Your router has been hacked. Now what? This chapter covers the basics of emer-
gency response when dealing with a router compromise. Ideally, you should have an
incident response plan that is tailored to your organization. If you are reading this
chapter because you have just been hacked and don’t know what to do, first prom-
ise that as soon as this incident is over, you will develop a complete incident
response plan. Then keep reading for help on responding to incidents involving
router compromises.
The goals of incident response are to:
• Determine if the incident is an attack or an accident
• Discover what happened and the scope of the incident
• Preserve all the evidence
• Recover from the incident
• Take the steps necessary to prevent this incident from happening again
Warning!
If you do not have a detailed incident response plan in place and you have been
hacked, it is best to do nothing yourself and to call law enforcement. They are
trained to preserve the evidence and investigate the incident and can track down
attackers through means you don’t have access to. Therefore, the first recommenda-
tion is to do nothing and call law enforcement.
However, many attacks may look like accidental outages (and vice versa). The fol-
lowing information is provided for those who are still trying to determine if an inci-
dent is due to a hacker or an accident or for those who must get the compromised
router operational as soon as possible. So please read this entire chapter—especially
the section on preserving evidence—to collect enough evidence to provide law
enforcement with leads if necessary. When you reconfigure or reboot the router, you

,appc.22691 Page 143 Friday, February 15, 2002 2:52 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
144
|
Appendix C: Incident Response
destroy the original evidence, so how you make copies of this evidence is extremely
important to having any chance of holding up in a court of law.
Keys to Investigating
Your mission while investigating an incident is to:
1.
Change nothing.
2.
Record everything.
Even if you suspect the incident was accidental, it is best to follow these two rules
until you are sure. Once you start modifying your router, you destroy your ability to
use any information on it in the future.
Change Nothing
Many administrators’ first step when a router goes down is to reboot the system. It is
amazing how many times this seems to fix a problem, but if the router malfunc-
tioned because of an attack by a hacker, rebooting the system can cause the loss of
valuable evidence, sometimes all evidence of the attack. Additionally, while investi-
gating the incident, until you have determined that it was indeed an accident, do not
make any changes to the router. These changes can cause significant problems if the
evidence is ever needed in court.
Record Everything
The most unobtrusive way to log into a router is through the console port. Thus, for
investigation purposes, use terminal emulation software—like HyperTerminal—to
connect to the router’s console port. Before you even log in, configure your terminal
emulation software to capture your current session. This will record everything you

do and can be helpful in proving that you did not make any changes to the router
during your investigation. HyperTerminal can be configured to capture your session
though the menu option Transfer
➝
Capture Text. This option will bring up a dialog
box that lets you choose the name and location of the capture file. Once you have
chosen it, click the Start button to begin recording. You can now log into the router
and use read-only commands—show commands—to investigate the incident.
Make sure you record the date and time inside your terminal session
somehow. To do this, right after you connect to the router, run the
show clock command. Run this command about every five minutes or
so to establish a time record, and then run it one more time just before
you log out of the router.
,appc.22691 Page 144 Friday, February 15, 2002 2:52 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
Discover What Happened and the Scope of the Incident
|
145
Attack Versus Accident
When many administrators start getting involved in information security, they tend to
get very worried and excited about the state of their networks. First, they get worried
because they realize how vulnerable their systems are; second, they get excited by the
challenge of protecting those systems. The Holy Grail for many system and network
administrators who move into InfoSec is catching the bad guy. This provides the abil-
ity to impress friends with tales of how your cunning outsmarted the wily hacker.
This excitement can make these administrators jump to conclusions and see acciden-
tal incidents as attacks. In their excitement, they inform management that the systems
have been hacked, and they are quickly tracking down the attacker. This can become
embarrassing when it turns out that the janitor accidentally tripped over a power cord.

So, before you run to management claiming that you have been hacked, take the time
to rule out accidental causes. They are more often responsible for router problems
than are intentional compromises, and caution can save you much embarrassment.
Discover What Happened and the Scope
of the Incident
People request a nice checklist when they reach the step of determining what hap-
pened and how big the problem is. Networks are so complex and types of attacks are
changing so fast that such a checklist will never exist. This type of work is what sepa-
rates those who truly understand routers and networking from those who don’t. To
determine what happened, you need to go through your router logs, configurations,
access points, and so on. Once you decide that your router was actually compro-
mised by an attacker, you need to determine details such as:
• What parts of your organization are impacted, and how much damage is the
impact causing?
• How did the attacker do it?
• Who is the attacker?
• Is the incident ongoing, or has it stopped?
• What other systems or routers have been accessed from the compromised router?
• What version of IOS are you running, and are there any known vulnerabilities to
this version?
• What IP addresses have recently accessed the router?
• Have the running-config or startup-config been changed?
This list is far from complete, but will hopefully get you thinking in the right direc-
tion. More often than not, answering every question on this list necessarily involves
,appc.22691 Page 145 Friday, February 15, 2002 2:52 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
146
|
Appendix C: Incident Response

law enforcement. If you are not sure how to start looking for answers to the preced-
ing questions, you are probably over your head and it is time to call in a professional.
Evidence Preservation
If you must get your router functional as quickly as possible, it is vitally important
that you record any volatile information that may be lost upon reconfiguration or
reboot of the router. Before you make any changes to, shut down, or reboot the
router, follow these steps to gather as much of this volatile evidence as possible:
1.
Connect to the router’s console port. This is the least-intrusive way to access the
router. It doesn’t require network access and will not tip off your attackers if
they are sniffing your network.
2.
Configure your terminal emulation software to record your session.
3.
Log in to the router.
4.
Enter enable mode (enable).
5.
Show the current date and time (show clock detail).
6.
Write down the time from a trusted time source—atomic clock, NTP server, etc.
7.
Show the IOS, uptime, and hardware information (show version).
8.
Show the current running configuration (show running-config).
9.
Show the current startup configuration (show startup-config).
10.
Show scheduled reload time (system may auto reboot, if set) (show reload).
11.

Show the routing tables (show ip route).
12.
Show the ARP tables (show ip arp).
13.
Show who is logged in (show users).
14.
Show current logs (show logging).
15.
Show current interface configuration (show ip interface).
16.
Show TCP connections (show tcp brief).
17.
Show open sockets (show ip sockets).
18.
Show NAT translations (show ip net translations verbose).
19.
Show NetFlows (show ip cache flow).
20.
Show CEF forwarding table (show ip cef).
21.
Show SNMP v3 users (show snmp user).
22.
Show SNMP v3 groups (show snmp group).
23.
Show date and time again (show clock detail).
24.
Write down the time from a trusted time source again.
25.
Disconnect from the router.
,appc.22691 Page 146 Friday, February 15, 2002 2:52 PM

This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
Recovering from the Incident
|
147
26.
End your terminal recording session.
27.
Print out your recording session.
28.
Write the two times you recorded from the trusted time source on the printout.
29.
Sign and date the printout.
30.
Get a witness to sign and date the printout.
31.
Keep both the electronic copy and the hardcopy in a secure location until you
can turn them over to law enforcement.
Next, you need to gather information from the router externally:
1.
Port scan the router from an external system.
2.
Record the time of the port scan from a trusted time source.
3.
Print out the port scan and write the time on the printout.
4.
If the router is running SNMP, get a copy of the current SNMP tree. This can be
done with a command such as snmpwalk (from NetSNMP http://net-snmp.
sourceforge.net).
5.

Record the time of the SNMP walk from a trusted time source.
6.
Print out the SNMP tree info and write the time on the printout.
7.
Sign and date both printouts.
8.
Get a witness to sign and date both printouts.
9.
Keep all copies in a secure location until you can turn them over to law enforce-
ment.
A good source of accurate time is a portable clock that has a built-in
radio receiver and synchronizes itself with US atomic clocks. They can
usually be purchased for less than $50.
The worst-case scenario is when the router’s enable password has been changed by
either an accident or an attacker. In these situations your ability to collect forensic
information is severely limited. Password recovery procedures require rebooting the
router, which destroys much of the evidence you are interested in. If this happens,
attempt to log in with a lower privileged account and run as many of the preceding
commands as possible. When you cannot log into the router at all, the information
gathered externally becomes much more important because it is all you have. There-
fore, be sure to try to use SNMP and port scans to gather as much information about
the router as possible.
Recovering from the Incident
Once law enforcement officials have completed their initial analysis of the router,
they may return it to you or keep it for more detailed forensic investigation. Whether
,appc.22691 Page 147 Friday, February 15, 2002 2:52 PM