Re: Cisco 677 oddity: Broadcasting to port 1999

[Vladimir Kraljevich <vlaad () EMPRESARIUM COM>]

> Now, the interesting thing of course is: What would have 
happened if
> there was actually another Cisco router present that would 
answer to
> this broadcast. Would my ADSL router start sending traffic 
to the
> other router, or what is the purpose of this broadcast ?

AFAIK, the purpose of this broadcast is just syslog, 
nothing more. 

You can make it (if you have access to CBOS) to point to 
arbitrary address on the net, sending those messages to 
arbitrary port on the listening machine.

Nobody in normal situation should answer to this message, 
since it is dedicated for debugging purposes only, to show 
administrators what is going wrong. Even if you try to 
simulate response from the another "router" nothing should 
happen. However, some reports reveals that in certain 
circumstances you can bring down the Cisco 6xx (perhaps few 
other types, too) by flooding syslog.

/********* IMPORTANT??? ***********

> From my experience, it is possible to nail a coffin to 
Cisco 677 with ICMP request in which IPOPT_RR is set. 
Someone, please confirm this.

I wrote to CCO, but they wanted my ID, SSN, dog's name, 
mother's maiden name, photographies of my family, my 
footprint, my fingerprints etc. to be able to submit these 
informations. I'm not in the mood to cooperate on that way 
with someone who is responsible to deal with his faults. 
However, public deserves to know :)

(from command line type:)

ping -r 9 216.32.74.55

**********************************/

Your traffic cannot be sent this way to anyone.

The thing you should really be worried about (check your 
router with Nmap) is existance of wide open TFTP, WWW and 
telnet remote adminstration access points.

root>show broadcast
Directed_Broadcast Forwarding is currently enabled

root>show syslog
SYSLOG Configuration
Currently Enabled
Currently sends syslog information to yy.yy.yy.yy
Currently uses port xxxxx

root>show telnet
TELNET Configuration
Currently Enabled
Currently accepts connections only from yy.yy.yy.yy
Currently uses port xxxxx
Timeout is set to 3600

root>show web
WEB Configuration
Is not enabled
Currently accepts connections only from yy.yy.yy.yy
Currently uses port xxxxx

root>show tftp
TFTP Configuration
Is not enabled
Currently accepts connections only from yy.yy.yy.yy
Currently uses port 69

You can also use "debug" (undocumented for 677) command, 
but only in privileged mode; It allows you to look closer 
what is going on.

<example from my CCO>

08/08/2000 02:50:19"734, 82 bytes from yy.yy.yy.yy
<03>000:15:23:15 TCP        Alarm      MTU value returned 
by get_ip_mtu was zero

</example from my CCO>

Hope this helps.