Breadmaster
IS-IT--Management
now i have no idea about routers....but i need to know if and how I sort this out (i have a 2600 btw)....
thanks in advance,
Ted
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
DoS Attack : IOS vunerability..... 1
- Thread starter Breadmaster
- Start date
- Status
now i have no idea about routers....but i need to know if and how I sort this out (i have a 2600 btw)....
thanks in advance,
Ted
See the advisory and either implement the workaround detailed there or upgrade your IOS.
-
1
- #4
I understand the two alternatives given:
1. upgrade the IOS
2. Apply the ACL
However, how does one prove the vulneribility is then being defeated? It seems we need more information on just how this vulneribility is exploited.
Example of reasoning..the ACL allows a number of protocols riding on IP then it defeats all others. What if by applying the ACL one breaks a normally operating connection. Should you then remove the ACL or simply open the ACL to allow the broken connection to connect..Then how do you know you haven't opened the connection up to exploit?? We need a technique to test once the ACL is applied.
Thoughts????
hootier
Network Security Engineer
1. upgrade the IOS
2. Apply the ACL
However, how does one prove the vulneribility is then being defeated? It seems we need more information on just how this vulneribility is exploited.
Example of reasoning..the ACL allows a number of protocols riding on IP then it defeats all others. What if by applying the ACL one breaks a normally operating connection. Should you then remove the ACL or simply open the ACL to allow the broken connection to connect..Then how do you know you haven't opened the connection up to exploit?? We need a technique to test once the ACL is applied.
Thoughts????
hootier
Network Security Engineer
If you noticed this:
A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full.
That tells me the packet most likely has to be directed specifically to that interface to take advantage of the exploit. There are a lot of acl's that should stop this from happening. Not to mention, I like the fact that they aren't just broadcasting the exact way to recreate the exploit. This keeps the slightly above script kiddie and script kiddie from using it just yet. Only someone really smart and dedicated is going to figure out the exploit. Then it will creep out into the less swift population a little slower. Allowing us to put the proper fixes in place without being attacked before we can update all our equipment. Don't know about anyone else but I have close to 500 some odd devices left to still upgrade and that isn't including the 200 and something I did the other day. I for one am thankful that info isn't out there for just anyone. I know the exploit exists, i know moderately how it occurs and if I desired I could figure out how to do it, and after upgrading all my eqipment, 9-10 odds I will work on figuring it out in my lab and test it against upgrades and workarounds to see exactly how it works and what I need to know. I doubt strongly cisco will have steered anyone wrong, Cisco prides itself on its software, it is an IOS company by large.
A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full.
That tells me the packet most likely has to be directed specifically to that interface to take advantage of the exploit. There are a lot of acl's that should stop this from happening. Not to mention, I like the fact that they aren't just broadcasting the exact way to recreate the exploit. This keeps the slightly above script kiddie and script kiddie from using it just yet. Only someone really smart and dedicated is going to figure out the exploit. Then it will creep out into the less swift population a little slower. Allowing us to put the proper fixes in place without being attacked before we can update all our equipment. Don't know about anyone else but I have close to 500 some odd devices left to still upgrade and that isn't including the 200 and something I did the other day. I for one am thankful that info isn't out there for just anyone. I know the exploit exists, i know moderately how it occurs and if I desired I could figure out how to do it, and after upgrading all my eqipment, 9-10 odds I will work on figuring it out in my lab and test it against upgrades and workarounds to see exactly how it works and what I need to know. I doubt strongly cisco will have steered anyone wrong, Cisco prides itself on its software, it is an IOS company by large.
- Thread starter
- #9
Breadmaster
IS-IT--Management
This doesn't answer my original question.
I have read the warning and documentation however it is all greek to me.
What do i actually have to do?
As a SysAdmin I rely on my 2600 obviously but have never touched it.
I don't even know how to access the damn thing....
I have read the warning and documentation however it is all greek to me.
What do i actually have to do?
As a SysAdmin I rely on my 2600 obviously but have never touched it.
I don't even know how to access the damn thing....
Breadmaster,
Go to for the more "english" explanation of the vulnerability.
As the advisory mentioned, you either have to upgrade to the 12.3 version of the IOS or apply a few inbound ACLs (access control lists) on all active interfaces.
To apply either solutions, it is recommended that you consider hiring an engineer with experience to do this for you.
Orlando Palomar Jr
CCIE# 11206, CCNP
CIPT Operations Specialist
Phil-Data Business Systems, Inc.
Go to for the more "english" explanation of the vulnerability.
As the advisory mentioned, you either have to upgrade to the 12.3 version of the IOS or apply a few inbound ACLs (access control lists) on all active interfaces.
To apply either solutions, it is recommended that you consider hiring an engineer with experience to do this for you.
Orlando Palomar Jr
CCIE# 11206, CCNP
CIPT Operations Specialist
Phil-Data Business Systems, Inc.
- Thread starter
- #11
Breadmaster
IS-IT--Management
thanks oj88.....
looks like i'll have to get someone in.....
anyone in the UK want a one-off job?
looks like i'll have to get someone in.....
anyone in the UK want a one-off job?
Sorry breadmaster my earlier post was in response to hootier. My fault on that one for not responding to your problem. Easiest thing for you to do would be to upgrade your router to the 12.3 IOS version. Check your current memory space by using the SHOW FLASH command. Result will look like:
System flash directory:
File Length Name/status
1 7022676 /c2500-i-l.120-5.T.bin
[7022740 bytes used, 1365868 available, 8388608 total]
8192K bytes of processor board System flash (Read ONLY)
Notice the last line this tells you the size of your current flash chip(s). This one is an 8mb chip the command also gives you the name of the IOS in your flash area, note you could have more than one IOS suggest using SHOW VERSION to see which is being used IF you have more than one. Now that you are armed with this info we go to the next step.
Cisco is currently giving the IOS free of charge if you don't have a service agreement. Call cisco TAC, tell them you just got hired on at company xyz, have no clue as to where any information is regarding service agreements you don't even know if you have one. Almost forgot this; MAKE SURE TO HAVE SERIAL NUMBERS OF THE ROUTER(s) YOU WANT THE NEW IOS FOR!! They will ask for this and give you all your contact info if you have a third party contact fo it, they will also give you the IOS or at least a way to download it I should say.
Then you will go through the upgrade process. If you need help with that part we will be able to walk you through that process as well.
System flash directory:
File Length Name/status
1 7022676 /c2500-i-l.120-5.T.bin
[7022740 bytes used, 1365868 available, 8388608 total]
8192K bytes of processor board System flash (Read ONLY)
Notice the last line this tells you the size of your current flash chip(s). This one is an 8mb chip the command also gives you the name of the IOS in your flash area, note you could have more than one IOS suggest using SHOW VERSION to see which is being used IF you have more than one. Now that you are armed with this info we go to the next step.
Cisco is currently giving the IOS free of charge if you don't have a service agreement. Call cisco TAC, tell them you just got hired on at company xyz, have no clue as to where any information is regarding service agreements you don't even know if you have one. Almost forgot this; MAKE SURE TO HAVE SERIAL NUMBERS OF THE ROUTER(s) YOU WANT THE NEW IOS FOR!! They will ask for this and give you all your contact info if you have a third party contact fo it, they will also give you the IOS or at least a way to download it I should say.
Then you will go through the upgrade process. If you need help with that part we will be able to walk you through that process as well.
- Thread starter
- #13
Breadmaster
IS-IT--Management
That's great cheers!
how to i communicate with the router to send it a SHOW FLASH command? it it like telnet'ing a switch?
how to i communicate with the router to send it a SHOW FLASH command? it it like telnet'ing a switch?
Do you have a rollover cable? If you do you can use that to connect to the console port on the back of the router. Use a DB-9 to connect the roolover cable to a serial port on your laptop or desktop. Then open a terminal emulating program like HYPERTERMINAL or better yet TERATERM (which is also free). Set it to connect to serial at 9600 baud rate, N (for parity and flow control), 8 for data, 1 for stop bit.
You could possibly telnet to it, though it would have to be pre-configured to allow access on the telnet ports. I'm assuming this probably wasn't done. Not to mention upgrading the IOS this way is not a really desirable approach, if something goes wrong you won't have access to the router. The router stops processing normal traffic and your telnet session will be part of that normal traffic during the upgrade. So direct console connection is always prefered, second best is a dial-up connection to the AUX port. But, I'm still of the mind if I am going to update something remotely I have a back-up person who can show up to the site within a matter of minutes.
You could possibly telnet to it, though it would have to be pre-configured to allow access on the telnet ports. I'm assuming this probably wasn't done. Not to mention upgrading the IOS this way is not a really desirable approach, if something goes wrong you won't have access to the router. The router stops processing normal traffic and your telnet session will be part of that normal traffic during the upgrade. So direct console connection is always prefered, second best is a dial-up connection to the AUX port. But, I'm still of the mind if I am going to update something remotely I have a back-up person who can show up to the site within a matter of minutes.
- Thread starter
- #16
- Thread starter
- #18
ChicagoJim
MIS
You can test for the vulnerability by using hping ( Below is an example of how to use it to test your routers. I pulled the example off of the Security Focus mailing list.
(BEWARE, this will hang your router if it's vulnerable!)
hping <router ip> -0 -H 53 -t <ttl to router interface> -i u1000
The -H 53 designates the protocol type. If you want to be thorough, test it with -H 55, -H 77, and -H 103 also.
This information has been public since Monday. So, if you haven't fixed your routers yet, I suspect you'll be paged shortly to do some rebooting
(BEWARE, this will hang your router if it's vulnerable!)
hping <router ip> -0 -H 53 -t <ttl to router interface> -i u1000
The -H 53 designates the protocol type. If you want to be thorough, test it with -H 55, -H 77, and -H 103 also.
This information has been public since Monday. So, if you haven't fixed your routers yet, I suspect you'll be paged shortly to do some rebooting
- Status
Similar threads
