RE: Cisco Workaround

["Byrne Ghavalas" <security () nscs uk com>]

Hi,

This has been discussed on various lists.  The input queue can be
filled by sending 76 packets of any one of the protocols (53, 55, 77,
103). The packets do not need to be a combination of the protocols
(although combining them so that 76 packets are sent would also work),
nor do they need any special data payload.  The only other requirement
is that the TTL is 0 or 1 when the packet reaches the appropriate
interface.

The exception to the above rule is protocol 103 (PIM) - if it is
enabled on the router, the packets will be cleared from the input
queue and a DoS condition will not be created.

To test for the problem, a simple tool like Hping or Packit will do
the job - it is not necessary to use any of the publicly available
exploits. Using the appropriate command line options these tools can
easily create packets of these protocol types and the TTL can be
defined.

I hope this helps.

Kind regards

Byrne G

> -----Original Message-----
> From: DOUGLAS GULLETT [mailto:dougg03 () comcast net] 
> Sent: Wednesday, July 23, 2003 8:16 PM
> To: Alvaro Gordon-Escobar
> Cc: firewalls () securityfocus com; security-basics () securityfocus com
> Subject: Re: Cisco Workaround
>
>
> I don't think you have to put all the access-list in.  I believe
that 
> the hack requires a certain combination of packets to the four
ports, 
> so leaving one or two of them open should still prevent the 



---------------------------------------------------------------------------
----------------------------------------------------------------------------