[181996] in North American Network Operators' Group
Re: Possible Sudden Uptick in ASA DOS?
daemon@ATHENA.MIT.EDU (Colin Johnston)
Thu Jul 9 10:09:41 2015
X-Original-To: nanog@nanog.org
From: Colin Johnston <colinj@gt86car.org.uk>
In-Reply-To: <965698F8-6A2C-4246-91EA-F2425A1748D4@puck.nether.net>
Date: Thu, 9 Jul 2015 15:09:35 +0100
To: Jared Mauch <jared@puck.nether.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
you would think a researcher would stop once he realised effect being =
caused ?
Colin
> On 9 Jul 2015, at 14:08, Jared Mauch <jared@puck.nether.net> wrote:
>=20
> My guess is a researcher.=20
>=20
> We saw the same issue in the past with a Cisco microcode bug and =
people doing ping record route. When it went across a LC with a very =
specific set of software it would crash.=20
>=20
> If you crashed just upgrade your code, don't hide behind blocking an =
IP as people now know what to send/do. It won't be long.=20
>=20
> Jared Mauch
>=20
>> On Jul 9, 2015, at 7:44 AM, Colin Johnston <colinj@gt86car.org.uk> =
wrote:
>>=20
>> Hi Jared,
>> thanks for update
>>=20
>> do you know provider/source ip of the source of the attack ?
>>=20
>> Colin
>>=20
>>> On 9 Jul 2015, at 12:27, Jared Mauch <jared@puck.nether.net> wrote:
>>>=20
>>> Really just people not patching their software after warnings more =
than six months ago:
>>>=20
>>> July-08 UPDATE: Cisco PSIRT is aware of disruption to some Cisco =
customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco =
ASA VPN Denial of Service Vulnerability that was disclosed in this =
Security Advisory. Traffic causing the disruption was isolated to a =
specific source IPv4 address. Cisco has engaged the provider and owner =
of that device and determined that the traffic was sent with no =
malicious intent. Cisco strongly recommends that customers upgrade to a =
fixed Cisco ASA software release to remediate this issue.=20
>>>=20
>>> Cisco has released free software updates that address these =
vulnerabilities. Workarounds that mitigate some of these vulnerabilities =
are available.
>>>=20
>>> Jared Mauch
>>>=20
>>>> On Jul 8, 2015, at 1:15 PM, Michel Luczak <frnog@shrd.fr> wrote:
>>>>=20
>>>>=20
>>>>> On 08 Jul 2015, at 18:58, Mark Mayfield =
<Mark.Mayfield@cityofroseville.com> wrote:
>>>>>=20
>>>>> Come in this morning to find one failover pair of ASA's had the =
primary crash and failover, then a couple hours later, the secondary =
crash and failover, back to the primary.
>>>>=20
>>>> Not sure it=E2=80=99s related but I=E2=80=99ve read reports on =
FRNoG of ASAs crashing as well, seems related to a late leap second =
related issue.
>>>>=20
>>>> Regards, Michel
