RE: Working vulnerability? (Cisco exploit)

["Ben Buxton" <B.Buxton () Planettechnologies nl>]

Yep its all a bit weird, I guess people are not too knowledgeable about
it. For starters the original explit wont work very well out of the box
for most script kiddies (random source addresses -> killed by
anti-spoofing),
and a single packet to a vulnerable box isnt enough (need to fill the
queue slots).

More of an annoyance really - most of the outages as a result are going
to
be from people upgrading boxes, not victims of attack.

BB

> -----Original Message-----
> From: jlewis () lewis org [mailto:jlewis () lewis org] 
>
> On Fri, 18 Jul 2003, Ben Buxton wrote:
>
> > It's released and it works - I have verified it in a lab here. 
>
> And others are trying it in the field now.  I setup the recommended
> transit ACLs yesterday.  Starting at 9:25am EDT this morning, 
> those ACLs
> started getting hits.  What doesn't make sense to me is 
> according to the 
> advisory, the packets have to be destined for the router to 
> crash it (not 
> just passed through it), but people are attacking seemingly 
> random IPs, 
> including ones in a new ARIN block that have not yet been 
> assigned/used 
> for anything.  What do they think they're attacking?
>
> ----------------------------------------------------------------------
>  Jon Lewis *jlewis () lewis org*|  I route
>  System Administrator        |  therefore you are
>  Atlantic Net                |  
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________