Re: Possible Sudden Uptick in ASA DOS?

[Jared Mauch <jared () puck nether net>]

I’m sure they did.  It could also have been any number of other things.  I’m just guessing.  It could have been someone 
trying to scan their enterprise too and went a bit rogue.

Not everyone reads NANOG believe it or not :)

Either way, if you haven’t upgraded for a 9 month old security advisory, shame on you.  I don’t care what your change 
management process looks like, it’s bordering on network malpractice IMHO.

- Jared

> On Jul 9, 2015, at 10:09 AM, Colin Johnston <colinj () gt86car org uk> wrote:
>
> you would think a researcher would stop once he realised effect being caused ?
>
> Colin
>
> > On 9 Jul 2015, at 14:08, Jared Mauch <jared () puck nether net> wrote:
> >
> > My guess is a researcher. 
> >
> > We saw the same issue in the past with a Cisco microcode bug and people doing ping record route. When it went across 
> > a LC with a very specific set of software it would crash. 
> >
> > If you crashed just upgrade your code, don't hide behind blocking an IP as people now know what to send/do. It won't 
> > be long. 
> >
> > Jared Mauch
> >
> > > On Jul 9, 2015, at 7:44 AM, Colin Johnston <colinj () gt86car org uk> wrote:
> > >
> > > Hi Jared,
> > > thanks for update
> > >
> > > do you know provider/source ip of the source of the attack ?
> > >
> > > Colin
> > >
> > > > On 9 Jul 2015, at 12:27, Jared Mauch <jared () puck nether net> wrote:
> > > >
> > > > Really just people not patching their software after warnings more than six months ago:
> > > >
> > > > July-08 UPDATE: Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by 
> > > > CVE-2014-3383, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. 
> > > > Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and 
> > > > owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends 
> > > > that customers upgrade to a fixed Cisco ASA software release to remediate this issue. 
> > > >
> > > > Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of 
> > > > these vulnerabilities are available.
> > > >
> > > > Jared Mauch
> > > >
> > > > > On Jul 8, 2015, at 1:15 PM, Michel Luczak <frnog () shrd fr> wrote:
> > > > >
> > > > >
> > > > > > On 08 Jul 2015, at 18:58, Mark Mayfield <Mark.Mayfield () cityofroseville com> wrote:
> > > > > >
> > > > > > Come in this morning to find one failover pair of ASA's had the primary crash and failover, then a couple hours 
> > > > > > later, the secondary crash and failover, back to the primary.
> > > > >
> > > > > Not sure it’s related but I’ve read reports on FRNoG of ASAs crashing as well, seems related to a late leap 
> > > > > second related issue.
> > > > >
> > > > > Regards, Michel