From: wing_lam@jossynergy.com
Date: Fri Jul 18 2003 - 03:27:11 GMT-3
Hi group;
Anybody knows how worst the situation is now?
Thx,
Winglam
"Brown, Patrick
(NSOC-OCF}" To: "'James.Jackson@broadwing.com'" <James.Jackson@broadwing.com>,
<PBrown4@charterc Brennan_Murphy@NAI.com, sam@munzani.com, id353@singnet.com.sg, ccielab@groupstudy.com
om.com> cc:
Sent by: Subject: RE: Cisco Vulnerability
nobody@groupstudy
.com
07/18/2003 06:37
AM
Please respond to
"Brown, Patrick
(NSOC-OCF}"
Look at the article, Cisco announces the traffic type! Wow!
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
Thanks,
Patrick Brown
-----Original Message-----
From: James.Jackson@broadwing.com [mailto:James.Jackson@broadwing.com]
Sent: Thursday, July 17, 2003 2:40 PM
To: Brown, Patrick (NSOC-OCF}; Brennan_Murphy@NAI.com; sam@munzani.com;
id353@singnet.com.sg; ccielab@groupstudy.com
Subject: RE: Cisco Vulnerability
There should not be that much traffic destined to the router itself.
Looking
at the config and performing some basic traffic analysis should suffice.
This is assuming you're not talking about a transit ACL which is a whole
other story.
-----Original Message-----
From: Brown, Patrick (NSOC-OCF} [mailto:PBrown4@chartercom.com]
Sent: Thursday, July 17, 2003 12:11 PM
To: Jackson, James (DS Engineering); Brennan_Murphy@NAI.com;
sam@munzani.com; id353@singnet.com.sg; ccielab@groupstudy.com
Subject: RE: Cisco Vulnerability
What are some other ACL entries that most providers put on their box to
mitigate this, other than the general acl's that Cisco recommended. I no
most ISP's upgraded their core routers, but I was wondering if any applied
the ACL's. If so, were there any acl that you had to open that were not in
Cisco's general ACL. I am doing allot of identification via Netflow, but I
was wondering what were your thought's.
Thanks,
Pb
-----Original Message-----
From: James.Jackson@broadwing.com [mailto:James.Jackson@broadwing.com]
Sent: Thursday, July 17, 2003 10:42 AM
To: Brennan_Murphy@NAI.com; sam@munzani.com; id353@singnet.com.sg;
ccielab@groupstudy.com
Subject: RE: Cisco Vulnerability
That's correct. I would add that ACLs are often not an option for internet
backbone routers :)
-----Original Message-----
From: Brennan_Murphy@NAI.com [mailto:Brennan_Murphy@NAI.com]
Sent: Thursday, July 17, 2003 10:08 AM
To: sam@munzani.com; id353@singnet.com.sg; ccielab@groupstudy.com
Subject: RE: Cisco Vulnerability
Obviously Cisco knows what the rare sequence is but
to advertise it widely right now would be very unfortunate.
If the rare sequence were to be leaked and widely available
....AND...companies started noticing that hackers are using
it against them, Cisco would post specific information about
how to block the "rare packet sequence." For now, they are
simply recommending ACLs that block traffic destined for
as opposed to transiting through the router itself.
That's my reading. Anyone care to comment?
-----Original Message-----
From: Sam Munzani [mailto:sam@munzani.com]
Sent: Thursday, July 17, 2003 10:28 AM
To: Ron; ccielab@groupstudy.com
Subject: Re: Cisco Vulnerability
Below is the line from Summary section of CCO page.
Cisco routers and switches running Cisco IOS. software and configured to
process Internet Protocol version 4 (IPv4) packets are vulnerable to a
Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets
sent directly to the device may cause the input interface to stop
processing traffic once the input queue is full.
Does this interprete as "Any traffic destined to the tragetted device IP
will cause it to fail?" OR "Any such Transit traffic will also kill the
device?".
Does anybody know what that rare sequence is? I would like to lab it up
to understand the impact on out network.
Sam
> Guys,
>
> Got this a while back from CERT. Check it out.
>
> http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
>
> Ron
>
> >From "Mustafa Bayramov (ICT/IT)" <mustafa@azercell.com> on 16 Jul
> >2003:
>
> > All details here
> >
> >
http://www.cisco.com/en/US/products/hw/routers/ps341/products_security_a
dvis
> > ory09186a00801a34c2.shtml
> >
> >
> > Mustafa M Bayramov
> >
> > CISSP
> > CCNP,CCDP,Cisco Security Specialist
> > Network engineer and security analyst
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of asadovnikov
> > Sent: Wednesday, July 16, 2003 8:19 PM
> > To: 'Larry Letterman'; ccielab@groupstudy.com
> > Subject: RE: Cisco Vulnerability
> >
> > Larry,
> >
> > Could you kindly send us CCO link.
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
> > Of Larry Letterman
> > Sent: Wednesday, July 16, 2003 8:04 PM
> > To: 'Kim Ed'; ccielab@groupstudy.com
> > Subject: RE: Cisco Vulnerability
> >
> >
> > There is a memory leak on certain IOS versions, that causes the
> > routers to reload.. The info can be found on Cco....
> >
> >
> > Larry Letterman
> > Cisco Systems
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of Kim Ed
> > Sent: Wednesday, July 16, 2003 3:22 PM
> > To: ccielab@groupstudy.com
> > Subject: Cisco Vulnerability
> >
> >
> > Group,
> >
> > I heard many major ISPs are having emergency maintenances (code
> > upgrade?).
> >
> > I also hear that it is not realted to this bug below but can't be
> > sure.
> >
> > http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml
> >
> > The rumored vulnerability is IOS, not CatOS and supposedly causes a
> > reload, not a telnet DoS.
> >
> > Anyone knows about this?
> >
> >
> >
> > Edward
> >
> > DISCLAIMER:
> > The information contained in this e-mail may be confidential and is
> > intended solely for the use of the named addressee. Access, copying
> > or re-use of the e-mail or any information contained therein by any
> > other person is not authorized. If you are not the intended
> > recipient please notify us immediately by returning the e-mail to
> > the originator.(A)
> >
> >
> > ____________________________________________________________________
> > ___
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > ____________________________________________________________________
> > ___
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > ____________________________________________________________________
> > ___
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > ____________________________________________________________________
> > ___
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> === message truncated ===
>
>
> ______________________________________________________________________
> _
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:44 GMT-3