Merit Joint Technical Staff|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Cisco IOS Interface Blocked by IPv4 Packets
- From: Brian Cashman
- Date: Sat Jul 19 11:21:02 2003
Many of you may be aware of the recent security advisory issued
regarding IOS, Cisco's router and switch operating system software.
Details of this advisory can be found at:
This message is to assure you that Merit is aware of the issue and is
working to implement the appropriate fixes as quickly as possible.
The underlying issue is a vulnerability in the Cisco IOS that allows
certain, specially crafted sequences of packets to stop input interfaces
from processing traffic. Thus far, Merit has not experienced an exploit
and performance has not been affected in any way. However, we are
proactively working to protect MichNet from this vulnerability.
At this point, all of MichNet's border routers are protected, thus
MichNet is not vulnerable to attacks from external networks. MichNet
Operations is currently working to apply the Cisco-provided patch to all
backbone equipment and expect to continue that effort throughout the
Once the backbone is secure, MichNet Operations will turn their
attention to the approximately 350 access routers and switches used by
our Members and Affiliates at their own locations. Obviously,
correcting the vulnerability on such a large number of units will take
time. MichNet Operations is currently analyzing the equipment inventory
to determine how each model number and IOS version must be
patched/upgraded to eliminate the vulnerability. Once analysis is
complete, they will begin implementing the fix on a unit by unit basis.
Most of the fixes will be applied remotely. However, some models may
require upgrading to apply the appropriate patch. The appropriate site
contact will be notified in these cases and the best solution determined
for that location.
We will continue to keep you informed of our progress in eliminating
Due to the pervasive nature of this vulnerability, network operators
everywhere will be taking steps similar to the ones we're taking over
the next few days to address this. As a result there may be instability
or temporary unreachability on the network while these changes are made.
If you would like additional information regarding the advisory, an
excerpt is attached below. As always, if you have any questions, feel
free to contact me or your Support Team
CISCO ADVISORY EXCERPT
Cisco routers and switches running Cisco IOSŪ software and configured
to process Internet Protocol version 4 (IPv4) packets are vulnerable to
a Denial of Service (DoS) attack. A rare sequence of crafted IPv4
packets with specific protocol fields sent directly to the device may
cause the input interface to stop processing traffic once the input
queue is full. No authentication is required to process the inbound
packet. Processing of IPv4 packets is enabled by default. Devices
running only IP version 6 (IPv6) are not affected. A workaround is
This issue affects all Cisco devices running Cisco IOS software and
configured to process Internet Protocol version 4 (IPv4) packets. Cisco
devices which do not run Cisco IOS software are not affected. Devices
which run only Internet Protocol version 6 (IPv6) are not affected.