[nsp] Cisco DOS vulnerabilities

From: Peter Fitchett (peterf@xtra.co.nz)
Date: Wed Dec 01 1999 - 17:25:59 EST


Hi

This might be common knowledge, but I think its worth mentioning.

1. If you run large access lists, your router may be vulnerable to a DOS attack.

2. Your router might also be vulnerable if you route networks to the null0 interface.

A site I am involved with had a server syn flooded on random ports with random source addresses. The pps rate was quite high (in the order of 20K pps)
indicating that it may have been a Tribe attack.

The server sits behind a 7500 fast eth interface with a 250 rule access list. The 7500 is running 11.1.28.1CC with RSP4 and VIP2-50's

CPU normally peaks at 60% (10min), but shot up to 100% during the attack, neighbors started bouncing and it was good night nurse.

In simulating the attack, CPU is unaffected without the access list.

We also found that CPU increased significantly when the destination was routed to null due to the ingress interface process switching packets to the
null interface. In testing this we found that the router is process switching to null through some interfaces and fast switching to null through
others, even though identical switching methodologies were configured as reported by a show ip int.

regards
peter



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:08 EDT