[nsp-sec] ASR fragment DDoS
Damian Menscher
damian at google.com
Fri Jul 31 10:08:02 EDT 2015
On Fri, Jul 31, 2015 at 12:27 AM, JR Mayberry <mayberry at jupiter.loonybin.net
> wrote:
>
>
> http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20150730-asr1k
"There are no workarounds for this vulnerability."
That's strange... I can think of two:
- Don't expose open ports on the router to untrusted clients. (Not
certain this will work in this case, but it seems likely the ACL code runs
before the fragment reassembly code.)
- Don't advertise your router's IP in the global routing table. (The
vulnerability doesn't get triggered by transit packets.)
I think both of these are considered best current practices, and would
avoid this vulnerability.
Damian
More information about the nsp-security
mailing list