Re: Cisco 675 Denial of Service Attack

[CDI <cdi () THEWEBMASTERS NET>]

On Fri, 1 Dec 2000, Shane Youhouse wrote:

[snips]
> Did you ask CDI to help?
>
> Did he refuse?

Yes they did and no I didn't respectively. When they were unable to
replicate the problem I sent them the step-by-step used to configure the
675 for PPP. I even told them that if they wanted to set up a 675 and
provide me with the IP I'd be happy to crash it for them.

> CDI should have gone public with this about 10 1/2 months ago.

I'll swallow that and say you're absolutely correct, but...

> Yes, more script kiddies would have known about it, but I also would
> have been complaining to the ISPs who where forcing the Cisco product on
> us to either get a new product, or would have gone with a different ISP
> / Router.

I have on more than one occasion pounced all over slow-to-respond vendors
and Yes, I definitely sat on this far too long. Guilty as charged. Mea
Culpa.

In this case however, there was substantive dialog with Cisco and each
time over the months that I came close to disclosure, Cisco PSIRT would
let me know that they were still working hard on a fix. With the number of
vulnerable 67xs out there I felt that the uninformed and sometimes
uninformable masses using 67xs were better protected by non-disclosure.
As you noted, the DoS was in the wild, but you still couldn't search for
it on Packetstorm or SecurityFocus and hence, flying under the radar of
most script kiddies.

CDI
____________________________________
The Web Master's Net
http://www.thewebmasters.net/
Today's Excuse:
Failure to adjust for daylight savings time.