How to detect "rogue" subnet router in my network?


Let’s assume “someone” installs and hides a subnet router of its own ( small rpi ) inside my campus ( school for instance) ( cf: Mr.Robot rpi)

What could I configure at firewall level to detect traffic generated by this device ?

Interesting. Maybe some IDS or IPS like SNORT can do this? Not very sure.

How about blocking traffic (UDP) or dns requests to or instead?
If they cannot establish this connection, they can’t even connect.

Blocking on your campus won’t stop rogue subnet routers because an attacker can easily run their own controller (headscale) on some host you haven’t blocked yet.

On the other hand, it would make life more difficult for legitimate tailscale users wanting to access their home network from their laptop.

The key to recognizing a subnet router is watching it on the network. Let’s say you have a two hosts on your network, host A and host B. If an inbound flow from the internet to host A correlates in size and timing to a flow from host A to host B on your network, you have almost certainly discovered that host A is a VPN gateway, regardless of the underlying protocol. If you have solid packet capture hardware and an IDS, you could watch for this behavior and notify network security staff.

However, if rogue subnet routers are a legitimate concern for you, it may be advantageous to move toward a zero-trust architecture (which eliminates the advantage that a rogue subnet router could give an attacker) rather than investing in the kind of IDS hardware that could perform correlation analysis on every flow in your network.