Last year, I mentioned that I would tell a true story of an attempt from someone in the Netherlands to break into a router at the call center I work at. As you already know, I took a years hiatus from this blog due to personal matters. Well, I figured I would tell the story as I wrote it to 2600 Magazine. They never published it, so don't look for it in any of the issues. **NOTE** All names and IP addresses have been changed to protect the innocent and guilty.
Attacking a Time Warner Call Center
I work for Time Warner Cable as a Tier 3 Technical Support Rep in a northeastern division of the company. The following is a report of the events that took place on a Friday evening while I was at work. It's about someone from Germany who tried desperately to get into a residential modem and router that are in the Time Warner call center I work at.
When I walked into work at 5:00 PM, I was thinking it was going to be a normal Friday night in the call center. I would take some calls, help some customers, and when 9:00 PM rolled around, I would go home. I didn't think that I would be fending off a German intruder trying to gain access to our router.
As Tier 3 tech support representatives, we are allowed to bring in personal laptops and connect them to various wireless networks throughout the call center. We use these for testing purposes and for added troubleshooting when we are talking to a customer on the phone. Therefore, we depend on these internet connections that are specially setup for the Tier 3's to use. Usually there is no problems connecting to them, but tonight was different. Tonight we were gonna be fighting to use them.
It started practically when I walked into the door. I had just sat down in my cubicle and logged into my work computer when I booted up my laptop. I got my work desktop all situated with the billing and service call system, Outlook, Firefox, and AIM. I looked over at my laptop and saw the Gnome log-on screen, so I logged into my laptop and opened up terminal once it had fully booted. I pressed Fn+F2 to turn on my wireless card configured my wlan0 card to the essid, "Isle A near DNOC" and ordered DHCP to give me an address. I opened up Firefox and I was unable to get a webpage.
I checked my IP address using iwconfig and I still had an IP, but I could not ping out. Thinking maybe the router got unplugged, I did a quick iwlist scan on my wlan card and there was no "Isle A near DNOC"; only "NETGEAR". Someone had done a full factory reset on the router. I stood up and talked to Garry who was sitting in the cubicle next to mine and asked him if he was having problems getting online with his laptop. He told me he was and then Jared walked over and said that someone was hitting the router with Denial-of-Service (DOS) attacks. We were actually getting DOS attacked from two separate IP's: 77.177.201.255 and 71.167.8.76
Using tracert in Windows, Jared was able to determine the domain names where these IP's were originating from. 71.167.8.76 was pool-71-167-8-76.nycmny.fios.
This fight was not going to be quite so easy. While I was nmapping the attacker from Germany, Garry came to me and asked what the name of my computer was. I told him that it was Unr3a1r00t and he told me to stop DOS attacking the network. I asked him what he meant and he said that the log files on the router showed that DOS attacks were coming from my IP. Puzzled, I assured him that I wasn't and took a look at the log files. Sure enough the private IP address that was linked to my computer was sending DOS attacks. This could mean only one thing: the attacker from Germany was using the nmap connection that was made between us and either spoofed my IP, or was sending DOS attacks through the connection to make it look like they were coming from me. In addition, he started to use proxy servers to make it look like some attacks were coming from different IP addresses in different countries throughout the world.
I immediately stopped the nmap process and went over to Jared to tell him what had happened. He carefully watched the log file and saw as it grew that the attacker was not just making it look like attacks were coming from my laptop, but his as well. We were all very frustrated and perplexed how and why someone would be doing this. We knew at this point that we were dealing with somebody that greatly surpassed our abilities.
I came up with the idea to try and change the public IP address of the router, thinking that the attacker would potentially go away if he couldn't connect anymore using the original IP. So we switched which modem the Netgear router was getting it's internet from. Now it would get a totally different IP address and because the two modems were getting their connections from completely different regional switches, he would have to actually look at a different spot on the internet for the router. Unfortunately for us, literally within a few minutes of making the swap, he had found the router again. We knew this meant that he had to have found the router using it's MAC address.
He then proceeded to hit the router with everything he had. DOS attacks were coming from completely different proxies every other second. We had to constantly reconnect our laptops to the router and the internet was unbearably slow. He was able to get into the router and assign his computer a local IP address within our network. I quickly told Jared to change the router's management log-on password and gave him a 27 character password that had a combination of uppercase and lowercase letters, numbers, and symbols. It was at this point he was brute forcing the modems management log-on trying to get a remote connection. These attacks were coming in at one point, as frequenly as four times a second; from completely different proxy IP addresses that never once repeated.
Jared was constantly refreshing the log file and within five minutes, the attacker had already attempted to remote into the routers management system a few hundred times. We concluded the obvious fact that he had to be using some kind of bot that was able to change proxy connections every ¼th of a second. Since the password that I came up with is very secure, for the time being he wasn't going to get in any time soon. Therefore, Jared took this time to look at all the configuration settings on the router.
It was now 9PM and we still really had no fully usable internet connection. Jared asked me if anyone had turned on UPnP. We never found out who turned it on, but we believe that it was this connection type that the attacker was using to try and get into our network. We came to this conclusion, because as soon as Jared turned it off, the DOS attacks stopped and there were no more attempts to log into the router's management system.
Now whether or not turning off UPnP was really the reason the attacks stopped, or because the attacker figured it was no longer worth the fight, could probably still be debated. The point was to try and get these attacks to stop, so we could actually use the wireless connection to troubleshoot for customers calling in. Jared sent me the log text files for me to try and find information on what exactly went down.
I concluded that the attacker was only initially trying to get into our router so he could use the connection for his personal use. When I nmapped him, it piqued his interest in trying to get in, because to him this meant that whoever was behind that router atleast knew halfway what they were doing. He knew he wasn't dealing with complete newbs because we blocked him from getting in and he was ready to face the challenge.
Once it was all done, I was able to go home. I told Jared I would look a little into the issue over the weekend and he said he was gonna do the same. The internet connection was fully restored and all was back to normal. The next day, we still saw some random DOS attacks on the router so we eventually just swapped it out for a different and better wireless setup. Since making the swap to a different modem/router, the problems have gone away completely.
We have since upped the security of the router and are taking measures to ensure that the log files are constantly monitored to avoid anymore intrusion attempts. I do have to say, that it was very interesting to see how someone who was essentially breaking into a network wouldn't care that he had been found out. Instead he actually chose to fight the people behind the router for access to a network he shouldn't have been accessing.
At this point though, it doesn't matter. I had fun playing with the attacker and I am sure it was fun for him to try and get in. We also learned a lot and that of course is always a good thing. Shout outs to Jared, Garry and Justin; you all know who you really are. Finally, a shout out to The Q 357 for just being a good friend and for helping me stay motivated.
No comments:
Post a Comment