RE: Possible DOS on Cisco 2651 router?

From: Keith Pachulski (keithp_at_corp.ptd.net)
Date: 07/10/03

  • Next message: John Duksta: "Re: HTTP DDoS attack on our servers"
    Date: Thu, 10 Jul 2003 13:31:02 -0400
    To: "Richard Bartlett" <richard_bartlett@sw2000.com>, <incidents@securityfocus.com>
    
    

    did you log into the router? did you do a sh ver checking for uptime and possibly SegV errors -- when was it reload, why was it reload

    did anyone else on the network report any weirdness, connectivity issues before the Cisco vanishing act or was it just the router acting strangely?

    does the router permit anyone vty access? how is vty access granted? ssh, telnet?

    where is the router located? could someone have accidentally unplugged it or power cycled it? could the cleaning person have needed the outlet to run the vacuum =)

    before spending a million dollars why not first invest some time into first looking into the router and second possibly having someone on-site ping the router constantly and if/when it performs this act again have that person log in and attempt to see what the router is doing.

    just a few questions that come to mind

    --Keith

    -----Original Message-----
    From: Richard Bartlett [mailto:richard_bartlett@sw2000.com]
    Sent: Thursday, July 10, 2003 3:03 AM
    To: incidents@securityfocus.com
    Subject: Possible DOS on Cisco 2651 router?

    A client experienced an outage today on their Cisco 2651 router (IOS

    version IOS (tm) C2600 Software (C2600-I-M), Version 12.2(5d), RELEASE

    SOFTWARE (fc1). Pings to the router failed with either timout or TTL

    expired in transit messages from hops 2-3 upstream of the router.

    Tracerts would timeout on the serial interface.

    Investigations internally found machines just downstream of the router

    couldn't even ping the internal ethernet interface of the router. A

    power cycle did not solve the problem, and for some time the router would

    timeout for around 2-3 minutes, then respond for 1 minute, then timeout

    again.

    I was unable to get on site with Syslog/Ethereal/Snort etc. and by the

    time I was onsite the problem had stopped.

    Does this sound like a DOS attack? I can't think of any config/hardware

    problem that could cause symptoms like this, but I don't want to jump to

    conclusions.

    Tomorrow there will be a machine with RealSecure PC Protection, Snort,

    Kiwi Syslog Demon and Ethereal sitting there waiting!

    Cheers for any help provided.

    Richard

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: John Duksta: "Re: HTTP DDoS attack on our servers"