[svlug] Intrusion detected: What's the best response {addenda}

[Scott DuBois]

On 06/09/2014 03:51 AM, Sanatan Rai wrote:
> On 9 June 2014 11:07, Ivan Sergio Borgonovo <mail at webthatworks.it> wrote:
>> On Mon, 9 Jun 2014 11:56:29 +0200
>> Ivan Sergio Borgonovo <mail at webthatworks.it> wrote:
>>
>>> Still if you're sure you were running the latest firmware for that
>>> router even knowing you can safely reflash it won't protect you from
>>> being cracked again.
>>
>> oh well some router exploit are a mix of router vulnerability and
>> phishing/xss. So... maybe if you knew how they get in you'd be more
>> careful.
>> But well, it is not that relaxing knowing that following a link in an
>> email may be enough to break into your router.
>>
>> So changing the router seems the best option.
> 
> That's exactly my view: I cannot be sure that reflashing is
> sufficient. It seems that buying a new one is the best option, even
> though I amn't keen on shelling out the £££ this is going to entail.
> 
> Here in the UK BT is in the process of converting things to FTTC, so
> one has to buy things that work with both ADSL2+ and FTTC, which just
> means extra cost. Additionally, in places (such as the building in
> which I dwell), the lines are so bad that with ADSL2+, many (otherwise
> good) consumer grade routers drop the connexion many times a week and
> have to be manually rebooted/resync'd. Business grade routers (such as
> this Draytek) do a better job. They sync to a smaller rate but then
> the connexion remains stable. One was also hoping that `biz grade'
> meant that the firmware etc was more resistant (less on the radar
> anyway) for such attacks. But one lives and learns...
> 
> --Sanatan
> 
> 
Hi Sanatan,

You could try setting up an el-cheapo DMZ as bait. If they manage to get
through the new router they'll easily target the decoy which of course
would allow you to view the logs..etc and get a better idea of what's
going on.

-- 
Scott DuBois
President EBLUG
BSIT Software Engineering
Freenode: Roguehorse