From: Church, Chuck (cchurch@netcogov.com)
Date: Wed Oct 27 2004 - 11:20:40 GMT-3
All,
I think we're getting a little off the topic here. True, the
only surefire way to stop a DDOS is to stop it at all the sources, but
Natasha was only looking for advice on selecting an IOS version that
isn't vulnerable to the various PSIRT issues. Usually this requires an
active service contract. If she's got one, downloading the latest GD
12.2 that supports all the modules in the router should work. If there
is no contract, there's a workaround. Check out:
http://www.cisco.com/en/US/products/products_security_advisory09186a0080
1a34c2.shtml#fixes
Read the part under 'Obtaining Fixed Software'. With a serial number,
you can get a fixed version this one time. Still, you're better off
with a contract...
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
libone mhlanga
Sent: Wednesday, October 27, 2004 6:17 AM
To: ccielab@groupstudy.com
Subject: RE: DOS/Smurf attacks!
As a veteran victim of DDoS attacks I can assure you that there is
NOTHING ( I repeat NOTHING !! ) that you can do on ANY router by ANY
manufacturer to mitigate against a huge DDoS attack !! Thats why Cisco
themselves bought Riverhead.
What you need is purpose-built DDoS mitigation kit from the likes of
Netscaler, Toplayer, Riverhead( cisco ), Tippingpoint, Juniper(
Netscreen) etc etc .
Oh by the way the biggest Pix, Checkpoint, Cyberguard, Netscreen etc etc
WILL be brought down by a DDoS.
Just to give you an idea, one attack we suffered flattened our entire
Tier-1 ISP core composed of GSR's with all the IOS DDoS features on them
!!!
Nuff said !!
----- Original Message -----
From: <laurent.metzger@bt.com>
To: <mahaguru@gmail.com>, <naleyevka@yahoo.com>
Subject: RE: DOS/Smurf attacks!
Date: Wed, 27 Oct 2004 07:35:49 +0100
>
> Natasha,
> if you are looking for strong security, it is wiser to put a PIX
firewall facing the ISP. Laurent
>
> -----Original Message-----
> From: nobody@groupstudy.com on behalf of Zafar Khan
> Sent: Wed 10/27/2004 5:00 AM
> To: Nathasha Aleyevka
> Cc: ccielab@groupstudy.com
> Subject: Re: DOS/Smurf attacks!
>
>
>
> Dear Natasha,
> Its not just the IOS version it actually has a lot to do with
your configs !
> Try AutoSecure available with IOS 12.3 and above
>
> Cheers
> Zafar
>
>
> On Tue, 26 Oct 2004 14:08:48 -0700 (PDT), Nathasha Aleyevka
> <naleyevka@yahoo.com> wrote:
> > Hello,
> >
> > I just performed a scan on my 7200 router(core to the ISP),
the scan indicated that this router is vulnerable to several denial of
service attacks, smurf attacks and buffer overflows attacks related to
outdated version of its software( Im running Version 12.0(2)XE2...
> >
> > Solution: To upgrade the IOS software to the latest stable
version
> >
> > Q: What is the next stable version, does it mean 12.3 ?- How
do I know that once I pay for the new IOS the scanning software will not
tell me that the new IOS is still vulnerable to all of the above
attacks..Is there another patch fix to this problem. Any ideas(!)
> >
> > Thank you
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > Yahoo! Mail Address AutoComplete - You start. We finish.
> >
> >
This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:53 GMT-3