Re: Should nmap cause a DoS on cisco routers?

[Florian Weimer <fweimer () bfk de>]

* Roland Dobbins:

> On Jul 1, 2010, at 11:12 PM, Florian Weimer wrote:
>
> > And it's certainly a bug worth fixing. 
>
> I doubt it's a 'bug' which can be 'fixed', just the same as sending
> enough legitimate HTTP requests to a Web server to bring it to its
> knees isn't a 'bug' which can be 'fixed', but rather a DoS which
> must be mitigated via a variety of mechanisms.

I was referring to single-packet (or single-request) crashers.
Reputable vendors still ship devices that have those bugs in 2010.

Chances are that Shang Tsung's nmap run triggered one of those.  As I
wrote, it happened before.  The nmap command line posted further
uptrhead does not actually cause a high pps flood.  Such level of SNMP
scanning is quite common in enterprise networks because some printer
drivers use it to locate printers, so your network devices are better
prepared to handle that.

And even if you applied control plane protection, you still need to
monitor those devices from your management network.  The brittleness
described in this thread makes this an extremely risky endeavor: one
typo in your Perl script, and your network is gone, even if the
monitoring station never had the credentials for enable access.
Those bugs might not be security-relevant, but they can be very
annyoing nevertheless.

-- 
Florian Weimer                <fweimer () bfk de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/