[c-nsp] Cisco Security Advisory: TCP State Manipulation Denial ofService Vulnerabilities in Multiple Cisco Products
Gert Doering
gert at greenie.muc.de
Wed Sep 9 16:38:21 EDT 2009
Hi,
On Wed, Sep 09, 2009 at 06:52:04PM +0100, Antonio Soares wrote:
> What actions are you taking ? What is the real risk ?
>
> http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml
"scream, wave your arms, run around in circles"...
Seriously: I'm not exactly sure what the actual impact is.
What we're going to do is:
- identify what parts of IOS use TCP (telnet, ssh, rsh, bgp, ldp,
http/s, ftp, others?)
(for some weird reason, "show ip sockets" only shows UDP sockets on
our boxes, and "show tcp brief" only shows ESTABLISHED TCP sessions
- how can I see what TCP LISTEN sockets are there??)
- find out what the impact is on each ("fill all available slots, lock
out legitimate admins" or "fill all available memory, killing the box")
- find out how to mitigate
- telnet/ssh -> vty ACLs
- rsh -> recent IOSes send RST to unknown peers
- bgp -> takes care of itself (doesn't talk to unknown peers)
- http/https -> turn off
- ldp -> ??
- ftp -> ??
- generic -> receive ACLs ("if the platform happens to support it"),
infrastructure ACLs ("not always effective in catching
all possible IP addresses that a box with many customer
/30 or /29s might have")
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090909/2fb57fcd/attachment.bin>
More information about the cisco-nsp
mailing list