[59731] in North American Network Operators' Group
RE: Working vulnerability? (Cisco exploit)
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Fri Jul 18 12:17:34 2003
Date: Fri, 18 Jul 2003 16:15:52 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: jlewis@lewis.org
Cc: Ben Buxton <B.Buxton@Planettechnologies.nl>,
Ken Yeo <kenyeo@on-linecorp.com>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0307180951290.1633-100000@redhat1.mmaero.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 18 Jul 2003 jlewis@lewis.org wrote:
>
> On Fri, 18 Jul 2003, Ben Buxton wrote:
>
> > It's released and it works - I have verified it in a lab here.
>
> And others are trying it in the field now. I setup the recommended
> transit ACLs yesterday. Starting at 9:25am EDT this morning, those ACLs
> started getting hits. What doesn't make sense to me is according to the
> advisory, the packets have to be destined for the router to crash it (not
> just passed through it), but people are attacking seemingly random IPs,
> including ones in a new ARIN block that have not yet been assigned/used
> for anything. What do they think they're attacking?
>
Is there wide spread use of the protocol 55? (IP Mobility) There seems to
be alot of that around, more than I'd have expected :)
