From: steve r (route2hell@hotmail.com)
Date: Fri Jul 18 2003 - 15:15:48 GMT-3
access-list 101 deny 53 any any (log optional)
access-list 101 deny 55 any any (log)
access-list 101 deny 77 any any (log)
access-list 101 deny 103 any any ( log)
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any
----- Original Message -----
From: "Brown, Patrick (NSOC-OCF}" <PBrown4@chartercom.com>
To: <James.Jackson@broadwing.com>; <Brennan_Murphy@NAI.com>;
<sam@munzani.com>; <id353@singnet.com.sg>; <ccielab@groupstudy.com>
Sent: Thursday, July 17, 2003 6:37 PM
Subject: RE: Cisco Vulnerability
> Look at the article, Cisco announces the traffic type! Wow!
>
> http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
>
> Thanks,
>
> Patrick Brown
>
> -----Original Message-----
> From: James.Jackson@broadwing.com [mailto:James.Jackson@broadwing.com]
> Sent: Thursday, July 17, 2003 2:40 PM
> To: Brown, Patrick (NSOC-OCF}; Brennan_Murphy@NAI.com; sam@munzani.com;
> id353@singnet.com.sg; ccielab@groupstudy.com
> Subject: RE: Cisco Vulnerability
>
>
>
> There should not be that much traffic destined to the router itself.
Looking
> at the config and performing some basic traffic analysis should suffice.
> This is assuming you're not talking about a transit ACL which is a whole
> other story.
>
> -----Original Message-----
> From: Brown, Patrick (NSOC-OCF} [mailto:PBrown4@chartercom.com]
> Sent: Thursday, July 17, 2003 12:11 PM
> To: Jackson, James (DS Engineering); Brennan_Murphy@NAI.com;
> sam@munzani.com; id353@singnet.com.sg; ccielab@groupstudy.com
> Subject: RE: Cisco Vulnerability
>
>
> What are some other ACL entries that most providers put on their box to
> mitigate this, other than the general acl's that Cisco recommended. I no
> most ISP's upgraded their core routers, but I was wondering if any applied
> the ACL's. If so, were there any acl that you had to open that were not in
> Cisco's general ACL. I am doing allot of identification via Netflow, but I
> was wondering what were your thought's.
>
>
> Thanks,
>
> Pb
>
> -----Original Message-----
> From: James.Jackson@broadwing.com [mailto:James.Jackson@broadwing.com]
> Sent: Thursday, July 17, 2003 10:42 AM
> To: Brennan_Murphy@NAI.com; sam@munzani.com; id353@singnet.com.sg;
> ccielab@groupstudy.com
> Subject: RE: Cisco Vulnerability
>
>
> That's correct. I would add that ACLs are often not an option for internet
> backbone routers :)
>
> -----Original Message-----
> From: Brennan_Murphy@NAI.com [mailto:Brennan_Murphy@NAI.com]
> Sent: Thursday, July 17, 2003 10:08 AM
> To: sam@munzani.com; id353@singnet.com.sg; ccielab@groupstudy.com
> Subject: RE: Cisco Vulnerability
>
>
> Obviously Cisco knows what the rare sequence is but
> to advertise it widely right now would be very unfortunate.
>
> If the rare sequence were to be leaked and widely available
> ....AND...companies started noticing that hackers are using
> it against them, Cisco would post specific information about
> how to block the "rare packet sequence." For now, they are
> simply recommending ACLs that block traffic destined for
> as opposed to transiting through the router itself.
>
> That's my reading. Anyone care to comment?
>
> -----Original Message-----
> From: Sam Munzani [mailto:sam@munzani.com]
> Sent: Thursday, July 17, 2003 10:28 AM
> To: Ron; ccielab@groupstudy.com
> Subject: Re: Cisco Vulnerability
>
>
> Below is the line from Summary section of CCO page.
> Cisco routers and switches running Cisco IOS. software and configured to
> process Internet Protocol version 4 (IPv4) packets are vulnerable to a
> Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets
> sent directly to the device may cause the input interface to stop
> processing traffic once the input queue is full.
>
> Does this interprete as "Any traffic destined to the tragetted device IP
> will cause it to fail?" OR "Any such Transit traffic will also kill the
> device?".
>
> Does anybody know what that rare sequence is? I would like to lab it up
> to understand the impact on out network.
>
> Sam
>
> > Guys,
> >
> > Got this a while back from CERT. Check it out.
> >
> > http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
> >
> > Ron
> >
> > >From "Mustafa Bayramov (ICT/IT)" <mustafa@azercell.com> on 16 Jul
> > >2003:
> >
> > > All details here
> > >
> > >
> http://www.cisco.com/en/US/products/hw/routers/ps341/products_security_a
> dvis
> > > ory09186a00801a34c2.shtml
> > >
> > >
> > > Mustafa M Bayramov
> > >
> > > CISSP
> > > CCNP,CCDP,Cisco Security Specialist
> > > Network engineer and security analyst
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>
> > > Of asadovnikov
> > > Sent: Wednesday, July 16, 2003 8:19 PM
> > > To: 'Larry Letterman'; ccielab@groupstudy.com
> > > Subject: RE: Cisco Vulnerability
> > >
> > > Larry,
> > >
> > > Could you kindly send us CCO link.
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
> > > Of Larry Letterman
> > > Sent: Wednesday, July 16, 2003 8:04 PM
> > > To: 'Kim Ed'; ccielab@groupstudy.com
> > > Subject: RE: Cisco Vulnerability
> > >
> > >
> > > There is a memory leak on certain IOS versions, that causes the
> > > routers to reload.. The info can be found on Cco....
> > >
> > >
> > > Larry Letterman
> > > Cisco Systems
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>
> > > Of Kim Ed
> > > Sent: Wednesday, July 16, 2003 3:22 PM
> > > To: ccielab@groupstudy.com
> > > Subject: Cisco Vulnerability
> > >
> > >
> > > Group,
> > >
> > > I heard many major ISPs are having emergency maintenances (code
> > > upgrade?).
> > >
> > > I also hear that it is not realted to this bug below but can't be
> > > sure.
> > >
> > > http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml
> > >
> > > The rumored vulnerability is IOS, not CatOS and supposedly causes a
> > > reload, not a telnet DoS.
> > >
> > > Anyone knows about this?
> > >
> > >
> > >
> > > Edward
> > >
> > > DISCLAIMER:
> > > The information contained in this e-mail may be confidential and is
> > > intended solely for the use of the named addressee. Access, copying
> > > or re-use of the e-mail or any information contained therein by any
> > > other person is not authorized. If you are not the intended
> > > recipient please notify us immediately by returning the e-mail to
> > > the originator.(A)
> > >
> > >
> > > ____________________________________________________________________
> > > ___
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > ____________________________________________________________________
> > > ___
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > ____________________________________________________________________
> > > ___
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > ____________________________________________________________________
> > > ___
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > === message truncated ===
> >
> >
> > ______________________________________________________________________
> > _
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> +++The information transmitted is intended only for the person or entity
to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you
received
> this in error, please contact the sender and destroy any copies of this
> document.+++
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> +++The information transmitted is intended only for the person or entity
to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you
received
> this in error, please contact the sender and destroy any copies of this
> document.+++
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:44 GMT-3