Re: [nsp] DoS tracking

• Next message: Rubens Kuhl Jr.: "[nsp] ATM bridging"
• Previous message: Niels Chr. Bank-Pedersen: "[nsp] Where does a router get its default when tftpbooting?"
• In reply to: Edward Henigin: "Re: [nsp] DoS tracking"
• Next in thread: Richard Steenbergen: "Re: [nsp] DoS tracking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Edward Henigin wrote:
>
> Right now I'm more concerned with some low-volume DOS
> attacks which are capable of killing a 7513/RSP4. I don't know

Right yesterday I noticed that if you're able to send ICMP echo requests
with a source address of 0.0.0.0, when the router attemps to reply, it
logs this error:

8w1d: %IP-3-DESTHOST: src=212.110.160.65, dst=0.0.0.0, NULL desthost
-Process= "IP Input", ipl= 0, pid= 26
-Traceback= 60384E08 60384238 60384560 6039250C 6035B38C 6035C420
6035819C 6039242C 60379CE0 60377F08 6037801C 603781A8 602D7264 602
D7250

If "logging console" is enabled, you can easily saturate the serial port
(and flood syslogd). I don't know if this could be made a DoS... I don't
have spare routers to flood with spoofed packets to see if they die :^)

Bye!

-- 
 Daniele
-------------------------------------------------------------------------------
 Daniele Orlandi - Utility Line Italia - http://www.orlandi.com
 Via Mezzera 29/A - 20030 - Seveso (MI) - Italy
-------------------------------------------------------------------------------

• Next message: Rubens Kuhl Jr.: "[nsp] ATM bridging"
• Previous message: Niels Chr. Bank-Pedersen: "[nsp] Where does a router get its default when tftpbooting?"
• In reply to: Edward Henigin: "Re: [nsp] DoS tracking"
• Next in thread: Richard Steenbergen: "Re: [nsp] DoS tracking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:10 EDT