Re: Possible Sudden Uptick in ASA DOS?

[Christoph Blecker <cblecker () gmail com>]

The bug that this crash impacts is in ASA was introduced in 9.1(4.3)
and fixed in 9.1(5.1) and later. Are you inside the affected version
range? If not, it's not the bug being discussed here. If so, you may
wish to upgrade.

Cheers,
Christoph

On 10 July 2015 at 12:56, Eddie Tardist <edtardist () gmail com> wrote:
> On Fri, Jul 10, 2015 at 3:31 PM, Paul Hoogsteder <mailings () meanie nl> wrote:
>
> > On 09-07-15 23:51, Nick Hilliard wrote:
> >
> > > On 09/07/2015 22:35, Ricky Beam wrote:
> > >
> > > > "Free" if you have a support contract.
> > > No, free-as-in-beer.
> > >
> > > You register a guest CCO account, email tac () cisco com, provide the device
> > > serial number (or output of "show hardware") and the bugid + Cisco PSIRT
> > > URL reference. Cisco TAC will then provide you with a download link with
> > > fixed software, at no cost to you.  It's not a pain in the ass - it works
> > > fine.
> > >
> > > Nick
> > >
> > >
> > >  And while that's the general procedure for almost all Cisco products,
> > there is even an faster way for the ASA:
> >
> > - register a CCO account
> > - in ASDM choose Tools > Check for ASA/ASDM Updates
> > - follow the onscreen instructions
> >
> > Paul.
>
>
> Hello Gentlemen,
>
> I had a crashing ASA 5585-S40 yesterday and it is still crashing today. Box
> is up to date, I have similar setups on LAX and on east coast and I only
> see the problem on west coast on circuits connected to Level3 traffic. I
> have a couple tickets still open with Cisco staff. They have added some
> dataplane protection which minimized the instability, but I dont know if
> it's a coincidence or effective, since it's not that often but 5585-S40
> boxes are still crashing.
>
> If anyone got any update on what's going on please share. I have replaced
> one critical box with a Juniper one but I can't do it for all my sites
> promptly so.
>
> So far what I found is that it's related to protocol 132 (sctp?). I have
> tried to filter 132 but no success. I can't just filter source address
> since it's legit, and proto 132 filtered traffic stills reaching the box up
> the point it leads to the problem (if in fact it's sctp related).
>
> It looks like I'm back to 90's since it seems like a single packet attack.
> I can't see volumetric deviations, I can't see unusual patterns, proto 132
> starts showing up and nothing goes wrong, suddenly I get the crash, no
> matter if it's been a couple minutes with some proto 132 traffic or if the
> traffic just started this second... the only "coincidence" is proto 132
> popping up without any further specific pattern.
>
> Weird and keeps happening.