nanog mailing list archives

Re: TCP-ACK vulnerability (was RE: SSH on the router)

From: "Stephen J. Wilcox" <steve () telecomplete co uk>
Date: Wed, 9 Jun 2004 21:19:11 +0100 (BST)


On Wed, 9 Jun 2004, Sean Donelan wrote:

On Mon, 7 Jun 2004, McBurnett, Jim wrote:

Aside from that, Use ACL's out the wazoo on the VTY lines and limit access to
that to say 1 SSH enabled router or 1 IPSEC enabled router...


It doesn't really matter if you use SSH, Telnet or HTTP; if you can send
evil packets to the router/switch and it falls over and dies.

http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml

IP Permit Lists will not provide any mitigation against this vulnerability.

The race is on, who will find your switches first?


yes, i often wondered why the permit list allows the session to connect then 
gives you a polite message before disconnecting.

anyway this is only on catos..

Steve

Current thread:

RE: SSH on the router - was( IT security people sleep well) McBurnett, Jim (Jun 07)
- TCP-ACK vulnerability (was RE: SSH on the router) Sean Donelan (Jun 09)
  - Re: TCP-ACK vulnerability (was RE: SSH on the router) Stephen J. Wilcox (Jun 09)
    - Re: UDP-TCP-ACK-SYN Attacks Pete (Jun 09)
  - Re: TCP-ACK vulnerability (was RE: SSH on the router) Christopher L. Morrow (Jun 09)
  - Re: TCP-ACK vulnerability (was RE: SSH on the router) Alexei Roudnev (Jun 09)
    - Re: TCP-ACK vulnerability (was RE: SSH on the router) Sean Donelan (Jun 10)
    - Re: TCP-ACK vulnerability (was RE: SSH on the router) Stephen J. Wilcox (Jun 10)
    - Re: TCP-ACK vulnerability (was RE: SSH on the router) James (Jun 10)
    - Re: TCP-ACK vulnerability (was RE: SSH on the router) Alexei Roudnev (Jun 10)
    - Re: TCP-ACK vulnerability (was RE: SSH on the router) Stephen J. Wilcox (Jun 11)
    - Re: TCP-ACK vulnerability (was RE: SSH on the router) Christopher L. Morrow (Jun 10)
    - Message not available
    - Re: TCP-ACK vulnerability (was RE: SSH on the router) Christopher L. Morrow (Jun 10)