Bugtraq mailing list archives
Widespread Router Access Port DoS
From: hdmoore () USA NET (HD Moore)
Date: Thu, 4 Feb 1999 11:05:31 -0600
+--------[ Router Access Port DoS The tcp access / configuration ports on most routers can be disabled remotely. These sit on port numbers like 23,2001,4001,6001, and 9001. The attack simply consists of shoving a few thousand bytes of any character down the connection, a couple times may be needed for some routers, with the length of time of the DoS related to the amount of bytes you send down the initial connection. Some Cisco's would have to be reset manually to fix this, others will recover by themselves given a few minutes, hours, or days. ComOS seems to be in the manual-reset category, as I haven't found one yet that recovers from a 1 minute attack onto thier access ports. Normal operation continues, only in a few freak cases did the router drop the entire network / reset connections as a result. The impact of this is that an administrator would need physical access to reconfigure a router after an attack like this. This is merely annoying for those who have a rack in the closet, and a huge pain in the ass for those 'remote' admins who may or may not be able to have someone reset them for them. The fix would be to set your ACL's to deny access to the configuration ports from outside your network. Specific information on affected IOS versions, code revisions, etc are not known at this time. If you would like to do some testing of your own and share the results I will write up a summary in a week or so. The exploit is just pathetic, and may need 3-6 runs of varying lengths to any substantial damage. Shorter attacks result in shorter downtimes for those ports, longer attacks do everything from locking the port out until it is reset to crashing the router itself. The one line bash$ exploit is: perl -e'print 0xFF x 10000' | telnet router.example.org 2001 . After disconnecting try to connect to that port again, it should say connection refused. While some routers will recover within 30 seconds to 5 minutes, older models tend to take days to ??? to fix themsleves. -HD
Current thread:
- Unsecured server in applets under Netscape Giao Nguyen (Feb 02)
- Re: Unsecured server in applets under Netscape BVE (Feb 02)
- Re: Unsecured server in applets under Netscape Giao Nguyen (Feb 03)
- Re: Unsecured server in applets under Netscape Tramale K. Turner (Feb 03)
- Re: Unsecured server in applets under Netscape Alex Muntada (Feb 05)
- Re: Unsecured server in applets under Netscape Giao Nguyen (Feb 03)
- Net::RawIP 0.05 has been released Sergey V. Kolychev (Feb 03)
- Buffer overflow and OS/390 Do-Geun Jo (Feb 04)
- Re: Unsecured server in applets under Netscape Tor Houghton (Feb 04)
- Microsoft Access 97 Stores Database Password as Plaintext Donald Moore (Feb 04)
- Widespread Router Access Port DoS HD Moore (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ernie Souhrada (Feb 04)
- NOBO denial of service Andrew J. Gavin (Feb 04)
- Re: NOBO denial of service Flavio Veloso (Feb 09)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ricardo Peres (Feb 04)
- <Possible follow-ups>
- Re: Unsecured server in applets under Netscape Philip Stoev (Feb 03)
- Re: Unsecured server in applets under Netscape BVE (Feb 02)