From: Steve Router (route2hell@hotmail.com)
Date: Sat Jul 19 2003 - 23:42:42 GMT-3
Haven't Seen any ghosts Protocols, maybe next week anyone seen the IOS ipv4
attacks with the wacky protocols..
Stephen R
>From: "asadovnikov" <asadovnikov@comcast.net>
>Reply-To: "asadovnikov" <asadovnikov@comcast.net>
>To: <ccielab@groupstudy.com>
>Subject: RE: Cisco Vulnerability
>Date: Sat, 19 Jul 2003 12:46:30 -0400
>
>I know it is yesterday's news, but just in case... it was on the public
>mailing list as well.
>
>http://www.netsys.com/cgi-bin/displaynews?a=611
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Mustafa M Bayramov
>Sent: Saturday, July 19, 2003 3:43 AM
>To: ccielab@groupstudy.com; 'asadovnikov'; 'Charles Church'
>Subject: RE: Cisco Vulnerability
>
>
>Here is it
>
>www2.def-con.org/shadowchode.tar.gz
>
>
>
>Mustafa M Bayramov
>
>CISSP
>CCNP,CCDP,Cisco Security Specialist
>Network engineer and security analyst
>
>
>"I know nothing except the fact of my ignorance." Socrates
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Charles Church
>Sent: Friday, July 18, 2003 5:47 PM
>To: Pratt, Jeremy; wing_lam@jossynergy.com
>Cc: ccielab@groupstudy.com
>Subject: RE: Cisco Vulnerability
>
>defcon? Are we getting ready to launch missiles or something? Maybe
>it's
>just Matthew Broderick confusing the WOPR again...
>
>Chuck Church
>CCIE #8776, MCNE, MCSE
>Wam!Net Government Services
>13665 Dulles Technology Dr. Ste 250
>Herndon, VA 20171
>Office: 703-480-2569
>Cell: 703-819-3495
>cchurch@wamnet.com
>PGP key:
>http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Pratt, Jeremy
>Sent: Friday, July 18, 2003 5:21 PM
>To: 'wing_lam@jossynergy.com'
>Cc: 'ccielab@groupstudy.com'
>Subject: RE: Cisco Vulnerability
>
>
>I've seen no hits on these protocols since yesterday morning.
>
>Symantec and others are upping the response on this to defcon 2.
>
>-----Original Message-----
>From: wing_lam@jossynergy.com [mailto:wing_lam@jossynergy.com]
>Sent: Thursday, July 17, 2003 11:27 PM
>To: ccielab@groupstudy.com
>Subject: RE: Cisco Vulnerability
>
>
>Hi group;
>
>Anybody knows how worst the situation is now?
>
>Thx,
>Winglam
>
>
>
>
>
> "Brown, Patrick
>
> (NSOC-OCF}" To:
>"'James.Jackson@broadwing.com'" <James.Jackson@broadwing.com>,
>
> <PBrown4@charterc Brennan_Murphy@NAI.com,
>sam@munzani.com, id353@singnet.com.sg, ccielab@groupstudy.com
> om.com> cc:
>
> Sent by: Subject: RE: Cisco
>Vulnerability
> nobody@groupstudy
>
> .com
>
>
>
>
>
> 07/18/2003 06:37
>
> AM
>
> Please respond to
>
> "Brown, Patrick
>
> (NSOC-OCF}"
>
>
>
>
>
>
>
>
>
>Look at the article, Cisco announces the traffic type! Wow!
>
>http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
>
>Thanks,
>
>Patrick Brown
>
>-----Original Message-----
>From: James.Jackson@broadwing.com [mailto:James.Jackson@broadwing.com]
>Sent: Thursday, July 17, 2003 2:40 PM
>To: Brown, Patrick (NSOC-OCF}; Brennan_Murphy@NAI.com; sam@munzani.com;
>id353@singnet.com.sg; ccielab@groupstudy.com
>Subject: RE: Cisco Vulnerability
>
>
>
>There should not be that much traffic destined to the router itself.
>Looking
>at the config and performing some basic traffic analysis should suffice.
>This is assuming you're not talking about a transit ACL which is a whole
>other story.
>
>-----Original Message-----
>From: Brown, Patrick (NSOC-OCF} [mailto:PBrown4@chartercom.com]
>Sent: Thursday, July 17, 2003 12:11 PM
>To: Jackson, James (DS Engineering); Brennan_Murphy@NAI.com;
>sam@munzani.com; id353@singnet.com.sg; ccielab@groupstudy.com
>Subject: RE: Cisco Vulnerability
>
>
>What are some other ACL entries that most providers put on their box to
>mitigate this, other than the general acl's that Cisco recommended. I
>no
>most ISP's upgraded their core routers, but I was wondering if any
>applied
>the ACL's. If so, were there any acl that you had to open that were not
>in
>Cisco's general ACL. I am doing allot of identification via Netflow, but
>I
>was wondering what were your thought's.
>
>
>Thanks,
>
>Pb
>
>-----Original Message-----
>From: James.Jackson@broadwing.com [mailto:James.Jackson@broadwing.com]
>Sent: Thursday, July 17, 2003 10:42 AM
>To: Brennan_Murphy@NAI.com; sam@munzani.com; id353@singnet.com.sg;
>ccielab@groupstudy.com
>Subject: RE: Cisco Vulnerability
>
>
>That's correct. I would add that ACLs are often not an option for
>internet
>backbone routers :)
>
>-----Original Message-----
>From: Brennan_Murphy@NAI.com [mailto:Brennan_Murphy@NAI.com]
>Sent: Thursday, July 17, 2003 10:08 AM
>To: sam@munzani.com; id353@singnet.com.sg; ccielab@groupstudy.com
>Subject: RE: Cisco Vulnerability
>
>
>Obviously Cisco knows what the rare sequence is but
>to advertise it widely right now would be very unfortunate.
>
>If the rare sequence were to be leaked and widely available
>....AND...companies started noticing that hackers are using
>it against them, Cisco would post specific information about
>how to block the "rare packet sequence." For now, they are
>simply recommending ACLs that block traffic destined for
>as opposed to transiting through the router itself.
>
>That's my reading. Anyone care to comment?
>
>-----Original Message-----
>From: Sam Munzani [mailto:sam@munzani.com]
>Sent: Thursday, July 17, 2003 10:28 AM
>To: Ron; ccielab@groupstudy.com
>Subject: Re: Cisco Vulnerability
>
>
>Below is the line from Summary section of CCO page.
>Cisco routers and switches running Cisco IOS. software and configured to
>process Internet Protocol version 4 (IPv4) packets are vulnerable to a
>Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets
>sent directly to the device may cause the input interface to stop
>processing traffic once the input queue is full.
>
>Does this interprete as "Any traffic destined to the tragetted device IP
>will cause it to fail?" OR "Any such Transit traffic will also kill the
>device?".
>
>Does anybody know what that rare sequence is? I would like to lab it up
>to understand the impact on out network.
>
>Sam
>
> > Guys,
> >
> > Got this a while back from CERT. Check it out.
> >
> > http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
> >
> > Ron
> >
> > >From "Mustafa Bayramov (ICT/IT)" <mustafa@azercell.com> on 16 Jul
> > >2003:
> >
> > > All details here
> > >
> > >
>http://www.cisco.com/en/US/products/hw/routers/ps341/products_security_a
>dvis
> > > ory09186a00801a34c2.shtml
> > >
> > >
> > > Mustafa M Bayramov
> > >
> > > CISSP
> > > CCNP,CCDP,Cisco Security Specialist
> > > Network engineer and security analyst
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>
> > > Of asadovnikov
> > > Sent: Wednesday, July 16, 2003 8:19 PM
> > > To: 'Larry Letterman'; ccielab@groupstudy.com
> > > Subject: RE: Cisco Vulnerability
> > >
> > > Larry,
> > >
> > > Could you kindly send us CCO link.
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
> > > Of Larry Letterman
> > > Sent: Wednesday, July 16, 2003 8:04 PM
> > > To: 'Kim Ed'; ccielab@groupstudy.com
> > > Subject: RE: Cisco Vulnerability
> > >
> > >
> > > There is a memory leak on certain IOS versions, that causes the
> > > routers to reload.. The info can be found on Cco....
> > >
> > >
> > > Larry Letterman
> > > Cisco Systems
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>
> > > Of Kim Ed
> > > Sent: Wednesday, July 16, 2003 3:22 PM
> > > To: ccielab@groupstudy.com
> > > Subject: Cisco Vulnerability
> > >
> > >
> > > Group,
> > >
> > > I heard many major ISPs are having emergency maintenances (code
> > > upgrade?).
> > >
> > > I also hear that it is not realted to this bug below but can't be
> > > sure.
> > >
> > > http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml
> > >
> > > The rumored vulnerability is IOS, not CatOS and supposedly causes a
> > > reload, not a telnet DoS.
> > >
> > > Anyone knows about this?
> > >
> > >
> > >
> > > Edward
> > >
> > > DISCLAIMER:
> > > The information contained in this e-mail may be confidential and is
> > > intended solely for the use of the named addressee. Access, copying
> > > or re-use of the e-mail or any information contained therein by any
> > > other person is not authorized. If you are not the intended
> > > recipient please notify us immediately by returning the e-mail to
> > > the originator.(A)
> > >
> > >
> > > ____________________________________________________________________
> > > ___
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > ____________________________________________________________________
> > > ___
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > ____________________________________________________________________
> > > ___
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > ____________________________________________________________________
> > > ___
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > === message truncated ===
> >
> >
> > ______________________________________________________________________
> > _
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
> +++The information transmitted is intended only for the person or
>entity
>to
>which it is addressed and may contain confidential and/or privileged
>material. Any review, retransmission, dissemination or other use of, or
>taking of any action in reliance upon, this information by persons or
>entities other than the intended recipient is prohibited. If you
>received
>this in error, please contact the sender and destroy any copies of this
>document.+++
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
> +++The information transmitted is intended only for the person or
>entity
>to
>which it is addressed and may contain confidential and/or privileged
>material. Any review, retransmission, dissemination or other use of, or
>taking of any action in reliance upon, this information by persons or
>entities other than the intended recipient is prohibited. If you
>received
>this in error, please contact the sender and destroy any copies of this
>document.+++
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>-----------------------------------------------------------
>SECURITY/CONFIDENTIALITY WARNING: This message and any attachments are
>intended solely for the individual or entity to which they are
>addressed.
>This
>communication may contain information that is privileged, confidential,
>or
>exempt from disclosure under applicable law (e.g., personal health
>information, research data, financial information). Because this e-mail
>has
>been sent without encryption, individuals other than the intended
>recipient
>may be able to view the information, forward it to others or tamper with
>the
>information without the knowledge or consent of the sender. If you are
>not
>the
>intended recipient, or the employee or person responsible for delivering
>the
>message to the intended recipient, any dissemination, distribution or
>copying
>of the communication is strictly prohibited. If you received the
>communication
>in error, please notify the sender immediately by replying to this
>message
>and
>deleting the message and any accompanying files from your system. If,
>due to
>the security risks, you do not wish to receive further communications
>via
>e-mail, please reply to this message and inform the sender that you do
>not
>wish to receive further e-mail from the sender.
>===========================================================
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:46 GMT-3