Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover

From: Richard Johnson (rdump_at_river.com)
Date: 07/20/03

  • Next message: Philippe Biondi: "Re: Cisco 0-day? [Was: strange protocol scans (and MOBP plug)]" 
    To: incidents@securityfocus.com
Date: Sun, 20 Jul 2003 01:20:45 -0600

    In article
    <Pine.BSO.4.53.0307172223150.11409@rhiannon.precision-guesswork.com>,
     Tina Bird <tbird@precision-guesswork.com> wrote:

    > information on the detailed structure of the evil packets in these
    > protocols is not yet public AFAIK.

    The router has problems if it receives a packet, content irrelevant,
    that makes it to supervisor level claiming an IP protocol that it
    doesn't have code to handle.

    The kickup to supervisor level happens when the packet is targeted
    directly at the router's IP address (per first Cisco advisory) or just
    has its TTL expire in transit past the router (per revised Cisco
    advisory).

    Send enough packets (default 75), and the input queue is full. hping is
    enough of a launch platform for that--there's no need for
    questionable-source exploit binaries when testing.

    Richard 

    -- 
My mailbox. My property. My personal space. My rules. Deal with it.
                        http://www.river.com/users/share/cluetrain/
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
  • Next message: Philippe Biondi: "Re: Cisco 0-day? [Was: strange protocol scans (and MOBP plug)]"

    Relevant Pages

    • Re: UPNP/SSDP
      ... otherwise it's just a glorified packet filter with a set of rules. ... neither a NAT nor a router are referred to as packet filters. ... a NAT router for broadband internet does not do this, ... router to route traffic b/w two or more private networks and the internet. ...
      (microsoft.public.windowsxp.general)
    • [NEWS] Downgrading the Oracle Native Authentication
      ... Get your security news from a reliable source. ... Oracle native authentication protocols are typical challenge-response ... After some negotiation the client sends the username. ... calls it packet version ...
      (Securiteam)
    • Re: Nmap questions concering my router
      ... has only one interface, ... as having a chunk of space in the computer much like a hotel room. ... >is) directly connected to my router, which i dont set up a NAT yet. ... Which IP address is the packet addressed to? ...
      (comp.security.firewalls)
    • Re: IIS5 Passive FTP Networking problem (long)
      ... or do away with the router entirely (and the hardware based ... > had the ability to run an FTP server behind it without changing the IP ... The NAT changes the PASV response ... translate the address fields of a packet. ...
      (microsoft.public.inetserver.iis.security)
    • Re: MSS on router, why?
      ... The proper way to describe the ICMP packet which is supposed to be ... returned by a router which cannot forward the IP packet which is too ... Because ICMP was defined before Path MTU Discovery (1981 and 1990 ... fragmentation and try to use path MTU discovery, ...
      (comp.dcom.sys.cisco)