RE: Possible DOS on Cisco 2651 router?

From: Keith Pachulski (keithp_at_corp.ptd.net)
Date: 07/10/03

  • Next message: John Duksta: "Re: HTTP DDoS attack on our servers"
    Date: Thu, 10 Jul 2003 13:31:02 -0400
    To: "Richard Bartlett" <richard_bartlett@sw2000.com>, <incidents@securityfocus.com>
    
    

    did you log into the router? did you do a sh ver checking for uptime and possibly SegV errors -- when was it reload, why was it reload

    did anyone else on the network report any weirdness, connectivity issues before the Cisco vanishing act or was it just the router acting strangely?

    does the router permit anyone vty access? how is vty access granted? ssh, telnet?

    where is the router located? could someone have accidentally unplugged it or power cycled it? could the cleaning person have needed the outlet to run the vacuum =)

    before spending a million dollars why not first invest some time into first looking into the router and second possibly having someone on-site ping the router constantly and if/when it performs this act again have that person log in and attempt to see what the router is doing.

    just a few questions that come to mind

    --Keith

    -----Original Message-----
    From: Richard Bartlett [mailto:richard_bartlett@sw2000.com]
    Sent: Thursday, July 10, 2003 3:03 AM
    To: incidents@securityfocus.com
    Subject: Possible DOS on Cisco 2651 router?

    A client experienced an outage today on their Cisco 2651 router (IOS

    version IOS (tm) C2600 Software (C2600-I-M), Version 12.2(5d), RELEASE

    SOFTWARE (fc1). Pings to the router failed with either timout or TTL

    expired in transit messages from hops 2-3 upstream of the router.

    Tracerts would timeout on the serial interface.

    Investigations internally found machines just downstream of the router

    couldn't even ping the internal ethernet interface of the router. A

    power cycle did not solve the problem, and for some time the router would

    timeout for around 2-3 minutes, then respond for 1 minute, then timeout

    again.

    I was unable to get on site with Syslog/Ethereal/Snort etc. and by the

    time I was onsite the problem had stopped.

    Does this sound like a DOS attack? I can't think of any config/hardware

    problem that could cause symptoms like this, but I don't want to jump to

    conclusions.

    Tomorrow there will be a machine with RealSecure PC Protection, Snort,

    Kiwi Syslog Demon and Ethereal sitting there waiting!

    Cheers for any help provided.

    Richard

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: John Duksta: "Re: HTTP DDoS attack on our servers"

    Relevant Pages

    • RE: Possible DOS on Cisco 2651 router?
      ... To me at first glance it would seem that the upstream provider was ... Did the client have any kind of network management ... Possible DOS on Cisco 2651 router? ... world's premier technical IT security event! ...
      (Incidents)
    • Re: Xbox does not recognize wireless A connection for MCE setup
      ... In particular, please check the Application, System, and Security Event ... Viewer logs for any errors ... BUT - when you say you checked the router and everything was set up ... the line PC, and HDTV plasma, a good (brand new Wireless a/g router, Xbox ...
      (microsoft.public.windows.mediacenter)
    • RES: Cisco IOS vulnerability
      ... It seems to me that implementing a best practice ACL filtering on internet ... Assunto: RE: Cisco IOS vulnerability ... Thinking about a perimeter router, i have one router with a "tcp any any ... world's premier technical IT security event! ...
      (Incidents)
    • Possible DOS on Cisco 2651 router?
      ... Pings to the router failed with either timout or TTL ... Tracerts would timeout on the serial interface. ... world's premier technical IT security event! ...
      (Incidents)
    • Re: ADSL Idle Timeout - is there such a thing?
      ... >router, so your problem may lie elsewhere. ... So the timeout doesn't occur under ... The problem with the timeout parameter that has been taking my time ... Open one IE session and access the router web interface. ...
      (uk.telecom.broadband)