We help IT Professionals succeed at work.

How would you find routers and switches using a port scan?

I asked a question if having devices in DNS is a cause for concern and if you should put the location of the device in the name?

How can someone find your routers and switches using a port scan or similar tools?

Comment
Watch Question

rettif9Dale

Commented:
routers and switches use protocols like RIP and OSPF to communicate over standard ports.
http://www.windowsnetworking.com/articles_tutorials/routing-protocols.html
Garry GlendownConsulting and Network/Security Specialist

Commented:
Security by obscurity isn't... if your systems are more attackable by having a location in the DNS reverse entry, you have a problem already ... portscans (in different ways, read up on how "nmap" works e.g.) happen all the time ... usually, DNS will not have much of information value for crackers, unless you store username/pw in it ;)
Ensure that you have decent security in place (firewalls, IDS, access lists, remote logging w/ notification), and put in the DNS what you require to get work done ... if you're afraid a location name might be an additional threat, encode it in some way that is both unique and clear to understand for anybody internal, but of no help for anyone outside ...

Author

Commented:
Is this one of those "it depends" answers?

I will read the link rettif9 gave and check back later.
Garry GlendownConsulting and Network/Security Specialist

Commented:
I'm not really sure what that has to do with your question ;) Routing protocols are most often NOT used to find (and attack) routers from the outside ... yes, they do communicate using broadcast packets, but that has nothing to with discovering devices from the outside (broadcast only works within one broadcast domain, i.e. subnet, not via routed packets)

Maybe you could explain what your main concern or problem is ...

Author

Commented:
You bring up some good points.

Maybe this can be viewed from several different angles.

Attack from inside or attack from outside?

My concern is if binding hostnames to ip addresses in DNS makes attacking network equipment easier. Obviously DNS makes trace routes more readable and you don't have to remember as many ip addresses.

If DNS is not a concern then you might be thinking that there is already enough information available to hacker tools and I was just curious what tools could discover information about your routers and switches.

I don't have time to read a lot about hacker tools right now but I always like to be a student if I can find a teacher.
Don JohnstonInstructor
Top Expert 2015
Commented:
How can someone find your routers and switches using a port scan or similar tools?
Yes and no. :-)
First the inside:
If your routers are running the routing protocols on interfaces that face the users, then yes, they will be able to see the routers. But they won't need a port scan. All they would have to do is capture packets using a protocol analyzer and they'll seen the routing updates or hellos.

If your switches are running spanning-tree, they'll be able to see the switch they are connected to the same way (just by looking for BPDUs). They will also be able to know who the root bridge is.

From the outside:
It's really not very likely anyone would be able to determine much about your network from the outside. Assuming a typical configuration with BGP on the outside and an IGP on the inside, there's not much they'll be able to learn about your physical topology without being connected to it.
Consulting and Network/Security Specialist
Commented:
Apart from passive attacks (which mostly only apply to internal systems, and that only in a limited way), active scans will be the most likely thing to watch out for ... and they do not require any protocol interpretation ... depending on your infrastructure, you can still get some details on the devices used, type of devices down to possible OS versions, etc. ... in summary, a lot more than you could expose by adding a site name in the reverse DNS entry ... by having a firewall as far to the network edge as possibly, you will avoid most scanning attacks ... by actively blocking recognized attacks/scans, you can also reduce the amount of information somebody might collect by scanning through legitimate-looking accesses ...