Security Basics mailing list archives
RE: Cisco Workaround
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 24 Jul 2003 10:33:53 -0700
As you point out, #3 (suggested as a workaround in some early versions of the advisory) is inadequate. #1 is preferred, and I'm working on it. In the meantime, I've implemented an alternate version of #2 at our borders. Instead of blocking these four classes, I've permitted only the ones we legitimately use: ICMP, UDP, TCP, and for our VPN users, 50 and 51 (ESP and AH, although I can never remember for sure which is which). (Some VPN technologies use 47 (GRE), but so far I don't know of anyone using that on our network.) So far, nobody has stepped forward with a need for any additional protocols to cross our borders. David Gillett
-----Original Message----- From: Kurt Seifried [mailto:bt () seifried org] Sent: July 23, 2003 22:11 To: DOUGLAS GULLETT; Alvaro Gordon-Escobar Cc: firewalls () securityfocus com; security-basics () securityfocus com Subject: Re: Cisco Workaround No. The attack requires N+1 attack packets. N=size of queue, which by default is 75. The packets can be any of the four protocols (i.e. all of one type, half of one, half of another, etc.). It has also been reported that some other protocols work for this attack, but this has not been confirmed. Read the Cisco advisory, it's quite clear on this. You can either: 1) upgrade your software 2) firewall these four classes of packets 3) firewall access to the IP's bound to the interfaces (*) * it has also been reported that packets that timeout, i.e. TTL = 0 in the queue can be used to execute the attack. 1 is of course the optimal solution as it _fixes_ the problem. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Cisco Workaround (comment on actually using those protocols), (continued)
- RE: Cisco Workaround (comment on actually using those protocols) jamesworld (Jul 28)
- RE: Cisco Workaround David Gillett (Jul 28)
- RE: Cisco Workaround Naman Latif (Jul 23)
- RE: Cisco Workaround Todd Mitchell - lists (Jul 23)
- RE: Cisco Workaround Charlie Winckless (Jul 23)
- Re: Cisco Workaround DOUGLAS GULLETT (Jul 23)
- RE: Cisco Workaround Terry Baranski (Jul 24)
- Re: Cisco Workaround Paul Kincaid (Jul 24)
- RE: Cisco Workaround Dave Gilmore (Intrusense) (Jul 24)
- Re: Cisco Workaround Kurt Seifried (Jul 24)
- RE: Cisco Workaround David Gillett (Jul 24)
- RE: Cisco Workaround Wolfpaw - Dale Corse (Jul 24)
- RE: Cisco Workaround Byrne Ghavalas (Jul 24)
- Re: Cisco Workaround john (Jul 24)
- Re: Cisco Workaround joshua sahala (Jul 24)
- Re: Cisco Workaround Jac (Jul 24)
- Re: Cisco Workaround Luis Enrique Londono (Jul 23)
- Re: Cisco Workaround bryan_khoo (Jul 24)
- RE: Cisco Workaround dave kleiman (Jul 24)
- Re: Cisco Workaround igenge2 (Jul 24)
- Re: Cisco Workaround Stephane Nasdrovisky (Jul 24)
(Thread continues...)