[nsp-sec] ASR fragment DDoS
Chris Morrow
morrowc at ops-netman.net
Fri Jul 31 11:05:09 EDT 2015
At Fri, 31 Jul 2015 07:08:02 -0700,
Damian Menscher wrote:
>
> ----------- nsp-security Confidential --------
>
> On Fri, Jul 31, 2015 at 12:27 AM, JR Mayberry <mayberry at jupiter.loonybin.net
> > wrote:
>
> >
> >
> > http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20150730-asr1k
>
(I didn't read the above, but...)
>
> "There are no workarounds for this vulnerability."
>
> That's strange... I can think of two:
> - Don't expose open ports on the router to untrusted clients. (Not
> certain this will work in this case, but it seems likely the ACL code runs
> before the fragment reassembly code.)
> - Don't advertise your router's IP in the global routing table. (The
> vulnerability doesn't get triggered by transit packets.)
>
> I think both of these are considered best current practices, and would
> avoid this vulnerability.
if this is triggered by transit traffic ... that could get much worse
to deal with :( Also, if you can trigger this by tossing
'router-alert' on packets it'd avoid your 2 protections for transit
traffic.
More information about the nsp-security
mailing list