[181994] in North American Network Operators' Group
Re: Possible Sudden Uptick in ASA DOS?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Jul 9 09:16:40 2015
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <E5A94C42-D41B-4DA2-B644-A1A7B4CA59A3@gt86car.org.uk>
Date: Thu, 9 Jul 2015 09:08:19 -0400
To: Colin Johnston <colinj@gt86car.org.uk>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
My guess is a researcher.=20
We saw the same issue in the past with a Cisco microcode bug and people doin=
g ping record route. When it went across a LC with a very specific set of so=
ftware it would crash.=20
If you crashed just upgrade your code, don't hide behind blocking an IP as p=
eople now know what to send/do. It won't be long.=20
Jared Mauch
> On Jul 9, 2015, at 7:44 AM, Colin Johnston <colinj@gt86car.org.uk> wrote:
>=20
> Hi Jared,
> thanks for update
>=20
> do you know provider/source ip of the source of the attack ?
>=20
> Colin
>=20
>> On 9 Jul 2015, at 12:27, Jared Mauch <jared@puck.nether.net> wrote:
>>=20
>> Really just people not patching their software after warnings more than s=
ix months ago:
>>=20
>> July-08 UPDATE: Cisco PSIRT is aware of disruption to some Cisco customer=
s with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN Denial=
of Service Vulnerability that was disclosed in this Security Advisory. Traf=
fic causing the disruption was isolated to a specific source IPv4 address. C=
isco has engaged the provider and owner of that device and determined that t=
he traffic was sent with no malicious intent. Cisco strongly recommends that=
customers upgrade to a fixed Cisco ASA software release to remediate this i=
ssue.=20
>>=20
>> Cisco has released free software updates that address these vulnerabiliti=
es. Workarounds that mitigate some of these vulnerabilities are available.
>>=20
>> Jared Mauch
>>=20
>>> On Jul 8, 2015, at 1:15 PM, Michel Luczak <frnog@shrd.fr> wrote:
>>>=20
>>>=20
>>>> On 08 Jul 2015, at 18:58, Mark Mayfield <Mark.Mayfield@cityofroseville.=
com> wrote:
>>>>=20
>>>> Come in this morning to find one failover pair of ASA's had the primary=
crash and failover, then a couple hours later, the secondary crash and fail=
over, back to the primary.
>>>=20
>>> Not sure it=E2=80=99s related but I=E2=80=99ve read reports on FRNoG of A=
SAs crashing as well, seems related to a late leap second related issue.
>>>=20
>>> Regards, Michel
