RE: Possible Sudden Uptick in ASA DOS?

["Chuck Church" <chuckchurch () gmail com>]

I would say it depends on the complexity and probability of it happening
accidentally.  An incorrect letter (language change perhaps) in a URL that
crashes a web server might not be malicious.  A crafted ESP or ISAKMP packet
that was created in a Linux packet tool and 'randomly' hits your VPN I'd say
is no accident.  I agree with Jared, patch your stuff when the PSIRTs come
out.  But whether or not you're patched, if you're attacked, that person
still is breaking the law.  Think about leaving your car somewhere with the
door open and keys in ignition.  Someone steals it.  They're still a
criminal, even though you made their 'job' as easy as possible.

Chuck

-----Original Message-----
From: Mark Andrews [mailto:marka () isc org] 
Sent: Thursday, July 09, 2015 10:06 PM
To: Chuck Church
Cc: 'Jared Mauch'; 'Colin Johnston'; nanog () nanog org
Subject: Re: Possible Sudden Uptick in ASA DOS?


In message <011d01d0bab1$e7890a00$b69b1e00$@gmail.com>, "Chuck Church"
writes:
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Jared Mauch
> Sent: Thursday, July 09, 2015 9:08 AM
> To: Colin Johnston
> Cc: nanog () nanog org
> Subject: Re: Possible Sudden Uptick in ASA DOS?
>
> > My guess is a researcher.
>
>
> I wouldn't classify someone sending known malicious traffic towards 
> someone else's network device attempting to crash it as a 'researcher'.
> Criminal is a better term.
>
> Chuck

At what point does a well formed but bug triggering packet go from
"malicious" to "expected"?

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org