RE: Possible DOS on Cisco 2651 router?

• Previous message: Tim Greer: "Re: HTTP DDoS attack on our servers"
• Maybe in reply to: Richard Bartlett: "Possible DOS on Cisco 2651 router?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 10 Jul 2003 13:31:02 -0400
To: "Richard Bartlett" <richard_bartlett@sw2000.com>, <incidents@securityfocus.com>

did you log into the router? did you do a sh ver checking for uptime and possibly SegV errors -- when was it reload, why was it reload

did anyone else on the network report any weirdness, connectivity issues before the Cisco vanishing act or was it just the router acting strangely?

does the router permit anyone vty access? how is vty access granted? ssh, telnet?

where is the router located? could someone have accidentally unplugged it or power cycled it? could the cleaning person have needed the outlet to run the vacuum =)

before spending a million dollars why not first invest some time into first looking into the router and second possibly having someone on-site ping the router constantly and if/when it performs this act again have that person log in and attempt to see what the router is doing.

just a few questions that come to mind

--Keith

-----Original Message-----
From: Richard Bartlett [mailto:richard_bartlett@sw2000.com]
Sent: Thursday, July 10, 2003 3:03 AM
To: incidents@securityfocus.com
Subject: Possible DOS on Cisco 2651 router?

A client experienced an outage today on their Cisco 2651 router (IOS

version IOS (tm) C2600 Software (C2600-I-M), Version 12.2(5d), RELEASE

SOFTWARE (fc1). Pings to the router failed with either timout or TTL

expired in transit messages from hops 2-3 upstream of the router.

Tracerts would timeout on the serial interface.

Investigations internally found machines just downstream of the router

couldn't even ping the internal ethernet interface of the router. A

power cycle did not solve the problem, and for some time the router would

timeout for around 2-3 minutes, then respond for 1 minute, then timeout

again.

I was unable to get on site with Syslog/Ethereal/Snort etc. and by the

time I was onsite the problem had stopped.

Does this sound like a DOS attack? I can't think of any config/hardware

problem that could cause symptoms like this, but I don't want to jump to

conclusions.

Tomorrow there will be a machine with RealSecure PC Protection, Snort,

Kiwi Syslog Demon and Ethereal sitting there waiting!

Cheers for any help provided.

Richard

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

• Previous message: Tim Greer: "Re: HTTP DDoS attack on our servers"
• Maybe in reply to: Richard Bartlett: "Possible DOS on Cisco 2651 router?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]