RE: SNMP scans, DoS and a VIP crash

["Tyrannis Von Nettesheim" <tyrannis () wwc com>]

Cisco VIPxx cards run, essentially, their own code, which is bundled inside
of IOS versions. The VIP concept and implementation has been known for years
to be notoriously twitchy, requiring good code scrubs to mate the desired
feature-set to the most stable version of code. This is something you just
may want to do internally and/or with your customers with some Cisco TAC
help. The code recommendations for GD (General Deployment) code are solid,
but often don't deal with particular corner-case hardware or feature-set
issues.

I could foresee circumstances where a stream of walks through the SNMP tree
in a DoS fashion could crash a card, and I've seen products have issues with
the SNMP PDU-packing query style where more modern monitoring systems will
pack a bunch of SNMP queries into a single packet, and some buggy code has
issues unpacking those. This issue was resolved years in the past, but I
still see crop up @ client sites not keeping current with code.

If it's a 7513, you're running a nice fairly beefy processor, and if your
traffic flows are low enough or you have more recent code, have the client
or your router squelch out SNMP on the appropriate interfaces with an ACL or
similar strategy, and log it. You should be afraid of loading the CPU here -
unless you're running the proper code and hardware, ACL traffic is directly
processed by the RSP's CPU. If you have 6500's with later code "above" where
the 7513 is, you'll find a better strategy there in temporarily inserting an
ACL structure since it can be hardware switched on that platform.

Otherwise, get a sniffer out there, find the traffic path, and examine the
SNMP requests, looking particularly for the GET-NEXT stuff, and see if
you've got someone trying to walk the entire SNMP tree on the device, or
someone looking for something particular.

-T

-----Original Message-----
From: Kneppers [mailto:knepperm () cuug ab ca]
Sent: Monday, December 24, 2001 12:01 PM
To: incidents () securityfocus com
Subject: SNMP scans, DoS and a VIP crash


Hi

I had an incident on the weekend. Detected a lot of SNMP authorization
failures to my router from a customer for about 2 days, terminating in an
inbound DoS attack (SYN-flood) targetting the customer.

I suspect the customer machine is compromised and used for scanning ..
maybe running an IRC bot as well, which caused the focused DoS attack.

The bit I'm curious about is that the exact same interface on my router
experienced some VIP crashes (device is a Cisco 7513) during the same
time, and often times very close to the scans. We've had other problems
with VIP crashes on the 7513, but I'm always suspicious when associated
with malicious activity.

Anybody seen similar activity where a scan or DoS takes out a card?
Possibly a scanning tool generating funny packets?

Thanks for any info



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com