Re: Possible Sudden Uptick in ASA DOS?

[Jared Mauch <jared () puck Nether net>]

On Fri, Jul 10, 2015 at 12:05:50PM +1000, Mark Andrews wrote:
> In message <011d01d0bab1$e7890a00$b69b1e00$@gmail.com>, "Chuck Church" writes:
> > -----Original Message-----
> > From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Jared Mauch
> > Sent: Thursday, July 09, 2015 9:08 AM
> > To: Colin Johnston
> > Cc: nanog () nanog org
> > Subject: Re: Possible Sudden Uptick in ASA DOS?
> >
> > > My guess is a researcher.
> >
> >
> > I wouldn't classify someone sending known malicious traffic towards
> > someone else's network device attempting to crash it as a 'researcher'.
> > Criminal is a better term.
> >
> > Chuck
>
> At what point does a well formed but bug triggering packet go from
> "malicious" to "expected"?

        Don't know.  Lets say it was something else.  i've seen well
formatted things that crash BIND.  When posting to bind-users
list it caused people to wonder why I didn't contact the security
team first.

        The ASA is mostly a black box, it could be any number of things
from a kernel bug to IPSEC, SSH, etc.. that trigger the issue.

        I would say malformed packets are common.  I saw trafic
coming from a specific employee home link ending up corrupted
when reaching our SIP server.  The result was it would crash as the
malformed SIP was improperly parsed.  The root cause?  The wireless
link connecting the employee to a local water tower was taking errors
and the UDP checksums still matched with the corruption.

http://downloads.asterisk.org/pub/security/AST-2011-009.html

        Either way see above where i said it's a guess, I have
no direct personal knowledge.  I'm guessing someone running
a honeypot or darknet would have packets from the researcher types.

        - Jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.