Re: [nsp] Cisco DOS vulnerabilities

From: Paul Ferguson (ferguson@cisco.com)
Date: Wed Dec 01 1999 - 18:05:13 EST


Once again, I bring your collective attention to:

  http://users.quadrunner.com/chuegen/smurf.cgi

- paul

At 10:25 PM 12/01/1999 +0000, Peter Fitchett wrote:

>Hi
>
>This might be common knowledge, but I think its worth mentioning.
>
>1. If you run large access lists, your router may be vulnerable to a DOS
>attack.
>
>2. Your router might also be vulnerable if you route networks to the null0
>interface.
>
>
>A site I am involved with had a server syn flooded on random ports with
>random source addresses. The pps rate was quite high (in the order of 20K pps)
>indicating that it may have been a Tribe attack.
>
>The server sits behind a 7500 fast eth interface with a 250 rule access
>list. The 7500 is running 11.1.28.1CC with RSP4 and VIP2-50's
>
>CPU normally peaks at 60% (10min), but shot up to 100% during the attack,
>neighbors started bouncing and it was good night nurse.
>
>In simulating the attack, CPU is unaffected without the access list.
>
>We also found that CPU increased significantly when the destination was
>routed to null due to the ingress interface process switching packets to the
>null interface. In testing this we found that the router is process
>switching to null through some interfaces and fast switching to null through
>others, even though identical switching methodologies were configured as
>reported by a show ip int.
>
>
>
>regards
>peter
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:08 EDT