Full Disclosure mailing list archives
RE: Potential denial of service bug in Cisco Pix Firewall IOS resolve d in 6.3.(3)105
From: amilabs <amilabs () optonline net>
Date: Mon, 05 Jan 2004 10:50:39 -0500
Thanks for the heads up. I have had that problem with nat since 6.1. I have a pix 501 and it always did this every now and then. So, I would do a reset or clear xlate to resolve the problem. It seemed to be an ios issue and not a dos attack issue. I use it for vpn access. It mostly happens when I am leaving my local network going through the pix and out onto the cable net. Thanks for the tip www.amilabs.com -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of John.Airey () rnib org uk Sent: Monday, January 05, 2004 9:55 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Potential denial of service bug in Cisco Pix Firewall IOS resolve d in 6.3.(3)105 Brief Description ----------------- Users of Cisco Pix Firewalls may discover that their pool of NAT'ted IP addresses is running out, and that a reboot, reload or "clear xlate" on the firewall clears the problem. Details ------- The problem is caused by the Firewall being swamped by incoming ICMP packets on the global pool IP addresses. If these are not intercepted by a router beforehand, the incoming echo requests (that are emanating from Nachi/Welchia worm infected machines) are preventing the release of the address translation. ie, the Pix is detecting the blocked traffic as indication that the translation is still in use. Permanent fix ------------- I have been informed by Cisco that this is resolved in 6.3(3)105. The relevant case ID is CSCec 47609 detailed at www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec47609 and referenced at www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00 801b 143a.shtml This is probably also fixed in later IOS versions. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk Even if you win the rat race, that will still only make you a rat. - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Potential denial of service bug in Cisco Pix Firewall IOS resolve d in 6.3.(3)105 John . Airey (Jan 05)
- RE: Potential denial of service bug in Cisco Pix Firewall IOS resolve d in 6.3.(3)105 amilabs (Jan 05)