From: Sam Munzani (sam@munzani.com)
Date: Thu Jul 17 2003 - 12:20:46 GMT-3
If you read the workarounds, it has recommendation to put an access-list on
transit traffic. They might be recommending it on your Ingress router from
internet. If any transit traffic would kill the device, internet would be
dead by now :-)
Sam
----- Original Message -----
From: <Brennan_Murphy@NAI.com>
To: <sam@munzani.com>; <id353@singnet.com.sg>; <ccielab@groupstudy.com>
Sent: Thursday, July 17, 2003 10:07 AM
Subject: RE: Cisco Vulnerability
Obviously Cisco knows what the rare sequence is but
to advertise it widely right now would be very unfortunate.
If the rare sequence were to be leaked and widely available
....AND...companies started noticing that hackers are using
it against them, Cisco would post specific information about
how to block the "rare packet sequence." For now, they are
simply recommending ACLs that block traffic destined for
as opposed to transiting through the router itself.
That's my reading. Anyone care to comment?
-----Original Message-----
From: Sam Munzani [mailto:sam@munzani.com]
Sent: Thursday, July 17, 2003 10:28 AM
To: Ron; ccielab@groupstudy.com
Subject: Re: Cisco Vulnerability
Below is the line from Summary section of CCO page.
Cisco routers and switches running Cisco IOS. software and configured to
process Internet Protocol version 4 (IPv4) packets are vulnerable to a
Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets
sent directly to the device may cause the input interface to stop
processing traffic once the input queue is full.
Does this interprete as "Any traffic destined to the tragetted device IP
will cause it to fail?" OR "Any such Transit traffic will also kill the
device?".
Does anybody know what that rare sequence is? I would like to lab it up
to understand the impact on out network.
Sam
> Guys,
>
> Got this a while back from CERT. Check it out.
>
> http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
>
> Ron
>
> >From "Mustafa Bayramov (ICT/IT)" <mustafa@azercell.com> on 16 Jul
> >2003:
>
> > All details here
> >
> >
http://www.cisco.com/en/US/products/hw/routers/ps341/products_security_a
dvis
> > ory09186a00801a34c2.shtml
> >
> >
> > Mustafa M Bayramov
> >
> > CISSP
> > CCNP,CCDP,Cisco Security Specialist
> > Network engineer and security analyst
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of asadovnikov
> > Sent: Wednesday, July 16, 2003 8:19 PM
> > To: 'Larry Letterman'; ccielab@groupstudy.com
> > Subject: RE: Cisco Vulnerability
> >
> > Larry,
> >
> > Could you kindly send us CCO link.
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
> > Of Larry Letterman
> > Sent: Wednesday, July 16, 2003 8:04 PM
> > To: 'Kim Ed'; ccielab@groupstudy.com
> > Subject: RE: Cisco Vulnerability
> >
> >
> > There is a memory leak on certain IOS versions, that causes the
> > routers to reload.. The info can be found on Cco....
> >
> >
> > Larry Letterman
> > Cisco Systems
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of Kim Ed
> > Sent: Wednesday, July 16, 2003 3:22 PM
> > To: ccielab@groupstudy.com
> > Subject: Cisco Vulnerability
> >
> >
> > Group,
> >
> > I heard many major ISPs are having emergency maintenances (code
> > upgrade?).
> >
> > I also hear that it is not realted to this bug below but can't be
> > sure.
> >
> > http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml
> >
> > The rumored vulnerability is IOS, not CatOS and supposedly causes a
> > reload, not a telnet DoS.
> >
> > Anyone knows about this?
> >
> >
> >
> > Edward
> >
> > DISCLAIMER:
> > The information contained in this e-mail may be confidential and is
> > intended solely for the use of the named addressee. Access, copying
> > or re-use of the e-mail or any information contained therein by any
> > other person is not authorized. If you are not the intended
> > recipient please notify us immediately by returning the e-mail to
> > the originator.(A)
> >
> >
> > ____________________________________________________________________
> > ___
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > ____________________________________________________________________
> > ___
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > ____________________________________________________________________
> > ___
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > ____________________________________________________________________
> > ___
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> === message truncated ===
>
>
> ______________________________________________________________________
> _
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:43 GMT-3