nanog mailing list archives
RE: Cisco vulnerability and dangerous filtering techniques
From: "Austad, Jay" <JAustad () temgweb com>
Date: Tue, 22 Jul 2003 10:22:40 -0500
I was thinking about this the other day. The most efficient way to make this work would be to spread using some vulnerability (like the Microsoft DCOM vulnerability released last week), and then at a predetermined time, start DoS'ing routers in the IP space of major providers, and then work your way towards the "edges." You can pretty much safely assume that most of your infected machines are going to basically be on the edges of the internet, so if you start with major providers, you won't kill all of your connectivity. Even more destructive would be p2p built into it, so all of the infected hosts could coordinate before the attack on what networks each one would handle. Someone is likely going to attempt something similar, it's just a matter of time before it happens. Luckily this Cisco problem didn't come out around the same time as the slammer worm. Jay
-----Original Message----- From: jgraun () comcast net [mailto:jgraun () comcast net] Sent: Tuesday, July 22, 2003 9:58 AM To: Adam Maloney Cc: nanog () merit edu Subject: Re: Cisco vulnerability and dangerous filtering techniques That is a bit paranoid, but it could happen. I have not seen anybody do anything that intelligent in the past couple of years. Not to say that there arent people out there that couldn't do that but I think many have thought of using one exploit to expose another, DDoS is the closest I have seen on any of my honeypots. I have learned many things about what most people will try to get into a box from the honeypots, but that is a good point. Filtering or patching should take place on the edge and on the most critical spots on your network. Good LuckI had a passing thought over the weekend regarding Thursday's cisco vulnerability and the recent Microsoft holes. The next worm taking advantage of the latest Windows'vulnerabilities ismore or less inevitable. Someone somewhere has to bewriting it. So whynot include the cisco exploit in the worm payload? Based on past history, there will be plenty of vulnerableWindows hosts toinfect with the worm. I would also guess that there are lots of organizations and end-users that have cisco devices thathaven't patchedtheir IOS. Furthermore, I wonder how many people haveapplied filteringonly at their border? But packets from an infected host inside the network wouldn't be stopped by filtering applied only tothe externalside. Basically, if you're filtering access to your interfaceIP's rather thanupgrading IOS, remember that the internet isn't the onlysource of dangerto your network. Adam Maloney Systems Administrator Sihope Communications
Current thread:
- Re: Cisco vulnerability and dangerous filtering techniques, (continued)
- Re: Cisco vulnerability and dangerous filtering techniques Niels Bakker (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Valdis . Kletnieks (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Jason Frisvold (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Allan Liska (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Jason Frisvold (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Valdis . Kletnieks (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Niels Bakker (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Valdis . Kletnieks (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Valdis . Kletnieks (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Chris Lewis (Jul 22)
- RE: Cisco vulnerability and dangerous filtering techniques alex (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Steve (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques alex (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Valdis . Kletnieks (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Richard A Steenbergen (Jul 22)
- Re: Cisco vulnerability and dangerous filtering techniques Patrick W. Gilmore (Jul 23)
- Re: Cisco vulnerability and dangerous filtering techniques Valdis . Kletnieks (Jul 22)