RE: Possible DOS on Cisco 2651 router?
From: James Williams (jwilliams_at_mail.wtamu.edu)
Date: 07/10/03
- Previous message: Christian Vogel: "Re: Strange CONNECT entries in apache logs"
- In reply to: Richard Bartlett: "Possible DOS on Cisco 2651 router?"
- Next in thread: Keith Pachulski: "RE: Possible DOS on Cisco 2651 router?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Richard Bartlett'" <richard_bartlett@sw2000.com> Date: Thu, 10 Jul 2003 11:55:37 -0500
Richard,
To me at first glance it would seem that the upstream provider was
having some issues. Did the client have any kind of network management
package running? You could have gathered some information about the
router stats like memory, process, and bandwidth usage during the outage
if that was the case. If the memory, process, and bandwidth usage seemed
normal I would have contacted the upstream provider to ask if they had
any issues and possibly opened a trouble shooting ticket.
James Williams
Network Systems Engineer
West Texas A&M University
-----Original Message-----
From: Richard Bartlett [mailto:richard_bartlett@sw2000.com]
Sent: Thursday, July 10, 2003 2:03 AM
To: incidents@securityfocus.com
Subject: Possible DOS on Cisco 2651 router?
A client experienced an outage today on their Cisco 2651 router (IOS
version IOS (tm) C2600 Software (C2600-I-M), Version 12.2(5d), RELEASE
SOFTWARE (fc1). Pings to the router failed with either timout or TTL
expired in transit messages from hops 2-3 upstream of the router.
Tracerts would timeout on the serial interface.
Investigations internally found machines just downstream of the router
couldn't even ping the internal ethernet interface of the router. A
power cycle did not solve the problem, and for some time the router
would
timeout for around 2-3 minutes, then respond for 1 minute, then timeout
again.
I was unable to get on site with Syslog/Ethereal/Snort etc. and by the
time I was onsite the problem had stopped.
Does this sound like a DOS attack? I can't think of any config/hardware
problem that could cause symptoms like this, but I don't want to jump to
conclusions.
Tomorrow there will be a machine with RealSecure PC Protection, Snort,
Kiwi Syslog Demon and Ethereal sitting there waiting!
Cheers for any help provided.
Richard
------------------------------------------------------------------------
---- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ---- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
- Previous message: Christian Vogel: "Re: Strange CONNECT entries in apache logs"
- In reply to: Richard Bartlett: "Possible DOS on Cisco 2651 router?"
- Next in thread: Keith Pachulski: "RE: Possible DOS on Cisco 2651 router?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
