Merit Joint Technical Staff
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
UDP Cisco ATTACKS : iMCISE:IMCI:122796:01:P1R1
- From: Jeff Ogden
- Date: Mon Dec 30 09:23:53 1996
FYI. I sent out a note about this last fall, but here is a reminder. The
Merit managed routers are safe, but you may want to check any cisco routers
of your own.
-Jeff
>Date: Fri, 27 Dec 1996 12:13:23 -0800
>To: miigs@mci.net, meals@mci.net
>From: Dale Drew <ddrew@mci.net>
>Subject: UDP Cisco ATTACKS : iMCISE:IMCI:122796:01:P1R1
>
> MCI Telecommunications
>
> internetMCI Security Group
>
>
>Report Title: iMCI MIIGS Security Alert
>Report Name: Denial Of Service Attacks ; "pepsi"
>Report Number: iMCISE:IMCI:122796:01:P1R1
>Report Date: 12/27/96
>Report Format: Formal
>Report Classification: MCI Informational
>Report Reference: http://www.security.mci.net
>Report Distribution: iMCI Security,
> MCI Internal Internet Gateway Security (MIIGS),
> MCI Emergency Alert LiSt (MEALS)
> (names on file)
>
>---------------------------------------------------------------------------
>
>This is a follow up to an MCI Alert issued to the MCI alert list in September
>of this year.
>
> ABSTRACT
>
>MCI has identified information relating to a Denial Of Service attack program
>that is being used to specically effect the service of Cisco routers.
>Although
>it could be used to effect other platforms, this alert will focus on the
>Cisco router exploit.
>
> PROBLEM
>
>The attack works by sending a stream of source forged UDP packets to a Cisco
>router that accepts UDP and TCP ports 7, 9, 13, 19, and 113.
>
>When a connection is made to these ports, a small amount of priority CPU is
>used to service the requests. When a continous stream of forged source IP
>packets is recieved by the Cisco, it can overwhelm the CPU, causing a slowdown
>of processed packets, or a failure.
>
>SYSLOG and/or Console messages will show an error message of "%SYS-3 NOPROC:
>Process Table Full" during an attack.
>
>This program has been in limited distribution since September of this year,
>being used to effect the service of Internet connected routers. However,
>the code has recently been released in source code format to large
>sections of the Internet, and it is suspected that the number of reported
>attacks will be on the increase.
>
> SOLUTION
>
>Users can disable the effects of this attack by issuing enabling the following
>configuration commands (10.2(9), 10.3(7), and 11.0(2) and all subsequent
>releases):
>
>no service udp-small-servers
>no service tcp-small-servers
>
>If you identify an active attack, contact your routing vendor and your ISP
>as soon as possible. ( MCI customers can report incidents to
>http://www.security.mci.net )
>
>For further information, please see the following URLS:
>
> Cisco Alert Summary:
> http://www.cisco.com/warp/public/146/917_security.html
> Cisco Security Guide
> http://www.cisco.com/univercd/data/doc/cintrnet/ics/icssecur.htm
> DOS Attack Info
> http://www.security.mci.net/dos.html
> CERT Alert on UDP Attacks
> http://www.security.mci.net/advisory.pl/CERT/CA-96.01.UDP_service_denial
>
>
> "Success through teamwork"
>===============================================================
>Dale Drew MCI Telecommunications
>Sr. Manager internetMCI Security
> Engineering
>Voice: 703/715-7058 Internet: ddrew@mci.net
>Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335
>
- - - - - - - - - - - - - - - - -
|
