[nsp-sec] ASR fragment DDoS

Smith, Donald Donald.Smith at CenturyLink.com
Fri Jul 31 13:02:16 EDT 2015 

This is the telling part.

"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Cisco PSIRT is aware of disruption for some Cisco customers with Cisco ASR 1000 Series Aggregation Services Routers devices affected by this vulnerability. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the owner of that address and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers upgrade to a fixed Cisco IOS XE Software release to remediate this issue.
This vulnerability was found internally by Cisco."

So it has occurred in the wild, the packets weren't crafted to be malicious, cisco found it (once it was reported). So this CAN occur without malicious packet crafting (they still claim packet crafting is required).

Their cvss shows this as LOW for access complexity.

Access Vector       AccessComplexity Authentication  ConfidentialityImpact  IntegrityImpact   AvailabilityImpact
Network                           Low              None                     None                               None               Complete






H8Hz
Donald.Smith at centurylink.com



From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Roland Dobbins [rdobbins at arbor.net]
Sent: Friday, July 31, 2015 9:29 AM
To: nsp-security NSP
Subject: Re: [nsp-sec] ASR fragment DDoS


----------- nsp-security Confidential --------


On 31 Jul 2015, at 22:05, Chris Morrow wrote:

> (I didn't read the above, but...)

Yes, that does seem to imply that transit traffic can trigger it, not
just 'to-me' traffic.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.

More information about the nsp-security mailing list