[181997] in North American Network Operators' Group
Re: Possible Sudden Uptick in ASA DOS?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Jul 9 10:13:23 2015
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <639EAECF-BAA3-495F-B8DF-A979940BBDF0@gt86car.org.uk>
Date: Thu, 9 Jul 2015 10:11:56 -0400
To: Colin Johnston <colinj@gt86car.org.uk>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I=E2=80=99m sure they did. It could also have been any number of other =
things. I=E2=80=99m just guessing. It could have been someone trying =
to scan their enterprise too and went a bit rogue.
Not everyone reads NANOG believe it or not :)
Either way, if you haven=E2=80=99t upgraded for a 9 month old security =
advisory, shame on you. I don=E2=80=99t care what your change =
management process looks like, it=E2=80=99s bordering on network =
malpractice IMHO.
- Jared
> On Jul 9, 2015, at 10:09 AM, Colin Johnston <colinj@gt86car.org.uk> =
wrote:
>=20
> you would think a researcher would stop once he realised effect being =
caused ?
>=20
> Colin
>=20
>> On 9 Jul 2015, at 14:08, Jared Mauch <jared@puck.nether.net> wrote:
>>=20
>> My guess is a researcher.=20
>>=20
>> We saw the same issue in the past with a Cisco microcode bug and =
people doing ping record route. When it went across a LC with a very =
specific set of software it would crash.=20
>>=20
>> If you crashed just upgrade your code, don't hide behind blocking an =
IP as people now know what to send/do. It won't be long.=20
>>=20
>> Jared Mauch
>>=20
>>> On Jul 9, 2015, at 7:44 AM, Colin Johnston <colinj@gt86car.org.uk> =
wrote:
>>>=20
>>> Hi Jared,
>>> thanks for update
>>>=20
>>> do you know provider/source ip of the source of the attack ?
>>>=20
>>> Colin
>>>=20
>>>> On 9 Jul 2015, at 12:27, Jared Mauch <jared@puck.nether.net> wrote:
>>>>=20
>>>> Really just people not patching their software after warnings more =
than six months ago:
>>>>=20
>>>> July-08 UPDATE: Cisco PSIRT is aware of disruption to some Cisco =
customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco =
ASA VPN Denial of Service Vulnerability that was disclosed in this =
Security Advisory. Traffic causing the disruption was isolated to a =
specific source IPv4 address. Cisco has engaged the provider and owner =
of that device and determined that the traffic was sent with no =
malicious intent. Cisco strongly recommends that customers upgrade to a =
fixed Cisco ASA software release to remediate this issue.=20
>>>>=20
>>>> Cisco has released free software updates that address these =
vulnerabilities. Workarounds that mitigate some of these vulnerabilities =
are available.
>>>>=20
>>>> Jared Mauch
>>>>=20
>>>>> On Jul 8, 2015, at 1:15 PM, Michel Luczak <frnog@shrd.fr> wrote:
>>>>>=20
>>>>>=20
>>>>>> On 08 Jul 2015, at 18:58, Mark Mayfield =
<Mark.Mayfield@cityofroseville.com> wrote:
>>>>>>=20
>>>>>> Come in this morning to find one failover pair of ASA's had the =
primary crash and failover, then a couple hours later, the secondary =
crash and failover, back to the primary.
>>>>>=20
>>>>> Not sure it=E2=80=99s related but I=E2=80=99ve read reports on =
FRNoG of ASAs crashing as well, seems related to a late leap second =
related issue.
>>>>>=20
>>>>> Regards, Michel
