[59722] in North American Network Operators' Group
RE: Working vulnerability? (Cisco exploit)
daemon@ATHENA.MIT.EDU (Ben Buxton)
Fri Jul 18 10:15:43 2003
Date: Fri, 18 Jul 2003 16:15:18 +0200
From: "Ben Buxton" <B.Buxton@Planettechnologies.nl>
To: <jlewis@lewis.org>
Cc: "Ken Yeo" <kenyeo@on-linecorp.com>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Yep its all a bit weird, I guess people are not too knowledgeable about
it. For starters the original explit wont work very well out of the box
for most script kiddies (random source addresses -> killed by
anti-spoofing),
and a single packet to a vulnerable box isnt enough (need to fill the
queue slots).
More of an annoyance really - most of the outages as a result are going
to
be from people upgrading boxes, not victims of attack.
BB
> -----Original Message-----
> From: jlewis@lewis.org [mailto:jlewis@lewis.org]=20
>=20
> On Fri, 18 Jul 2003, Ben Buxton wrote:
>=20
> > It's released and it works - I have verified it in a lab here.=20
>=20
> And others are trying it in the field now. I setup the recommended
> transit ACLs yesterday. Starting at 9:25am EDT this morning,=20
> those ACLs
> started getting hits. What doesn't make sense to me is=20
> according to the=20
> advisory, the packets have to be destined for the router to=20
> crash it (not=20
> just passed through it), but people are attacking seemingly=20
> random IPs,=20
> including ones in a new ARIN block that have not yet been=20
> assigned/used=20
> for anything. What do they think they're attacking?
>=20
> ----------------------------------------------------------------------
> Jon Lewis *jlewis@lewis.org*| I route
> System Administrator | therefore you are
> Atlantic Net | =20
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>=20
>=20
