nanog mailing list archives
Re: Possible Sudden Uptick in ASA DOS?
From: Jared Mauch <jared () puck Nether net>
Date: Fri, 10 Jul 2015 08:17:01 -0400
On Fri, Jul 10, 2015 at 12:05:50PM +1000, Mark Andrews wrote:
In message <011d01d0bab1$e7890a00$b69b1e00$@gmail.com>, "Chuck Church" writes:-----Original Message----- From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Jared Mauch Sent: Thursday, July 09, 2015 9:08 AM To: Colin Johnston Cc: nanog () nanog org Subject: Re: Possible Sudden Uptick in ASA DOS?My guess is a researcher.I wouldn't classify someone sending known malicious traffic towards someone else's network device attempting to crash it as a 'researcher'. Criminal is a better term. ChuckAt what point does a well formed but bug triggering packet go from "malicious" to "expected"?
Don't know. Lets say it was something else. i've seen well formatted things that crash BIND. When posting to bind-users list it caused people to wonder why I didn't contact the security team first. The ASA is mostly a black box, it could be any number of things from a kernel bug to IPSEC, SSH, etc.. that trigger the issue. I would say malformed packets are common. I saw trafic coming from a specific employee home link ending up corrupted when reaching our SIP server. The result was it would crash as the malformed SIP was improperly parsed. The root cause? The wireless link connecting the employee to a local water tower was taking errors and the UDP checksums still matched with the corruption. http://downloads.asterisk.org/pub/security/AST-2011-009.html Either way see above where i said it's a guess, I have no direct personal knowledge. I'm guessing someone running a honeypot or darknet would have packets from the researcher types. - Jared -- Jared Mauch | pgp key available via finger from jared () puck nether net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Current thread:
- Re: Possible Sudden Uptick in ASA DOS?, (continued)
- Re: Possible Sudden Uptick in ASA DOS? Michel Luczak (Jul 08)
- Re: Possible Sudden Uptick in ASA DOS? Jared Mauch (Jul 09)
- Re: Possible Sudden Uptick in ASA DOS? Colin Johnston (Jul 09)
- Re: Possible Sudden Uptick in ASA DOS? Jared Mauch (Jul 09)
- Re: Possible Sudden Uptick in ASA DOS? Colin Johnston (Jul 09)
- Re: Possible Sudden Uptick in ASA DOS? Jared Mauch (Jul 09)
- Re: Possible Sudden Uptick in ASA DOS? Christopher Morrow (Jul 09)
- RE: Possible Sudden Uptick in ASA DOS? Chuck Church (Jul 09)
- Re: Possible Sudden Uptick in ASA DOS? Jared Mauch (Jul 09)
- Re: Possible Sudden Uptick in ASA DOS? Mark Andrews (Jul 09)
- Re: Possible Sudden Uptick in ASA DOS? Jared Mauch (Jul 10)
- RE: Possible Sudden Uptick in ASA DOS? Chuck Church (Jul 10)
- Re: Possible Sudden Uptick in ASA DOS? Jared Mauch (Jul 09)
- Re: Possible Sudden Uptick in ASA DOS? Michel Luczak (Jul 08)
- Re: Possible Sudden Uptick in ASA DOS? Ricky Beam (Jul 09)
- Re: Possible Sudden Uptick in ASA DOS? Jared Mauch (Jul 09)
- Re: Possible Sudden Uptick in ASA DOS? Nick Hilliard (Jul 09)
- Re: Possible Sudden Uptick in ASA DOS? Paul Hoogsteder (Jul 10)
- Re: Possible Sudden Uptick in ASA DOS? Eddie Tardist (Jul 10)
- Re: Possible Sudden Uptick in ASA DOS? Christoph Blecker (Jul 10)
- Re: Possible Sudden Uptick in ASA DOS? Eddie Tardist (Jul 10)
- Re: Possible Sudden Uptick in ASA DOS? Paul Ferguson (Jul 10)