[59805] in North American Network Operators' Group
Re: Cisco vulnerability and dangerous filtering techniques
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Jul 22 09:55:40 2003
To: Niels Bakker <niels=nanog@bakker.net>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Tue, 22 Jul 2003 15:40:02 +0200."
<20030722134002.GE44841@snowcrash.tpb.net>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 22 Jul 2003 09:54:50 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-1357586064P
Content-Type: text/plain; charset=us-ascii
On Tue, 22 Jul 2003 15:40:02 +0200, Niels Bakker <niels=nanog@bakker.net> said:
>
> * adamm@sihope.com (Adam Maloney) [Tue 22 Jul 2003, 15:33 CEST]:
> > The next worm taking advantage of the latest Windows' vulnerabilities
> > is more or less inevitable. Someone somewhere has to be writing it.
> > So why not include the cisco exploit in the worm payload?
>
> Why would a worm disable a vital component on its path to new infections?
It's not part of the spread-the-worm code, it's part of the DDoS engine that it
leaves behind. If you get lucky, one of your 20K zombies is the other side
of a router along with whoever you're pissed at and want to DDoS, so you send
the command, and the zombie sprays 76 packets, goes to sleep for 30 mins,
sprays another 76.. lather rinse repeat.
I'm going to go out on a limb and say that at least 30% of Ciscos are installed
in places that would, if hit with this, have NO CLUE why their router needs to be
power cycled every 30 mins.....
--==_Exmh_-1357586064P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE/HUIpcC3lWbTT17ARAjQFAJ4iXL5QU1knh7/4Dp+xe8h6BbBGRgCgznj9
t77w5zuffI3Ar+GSOUZ49D0=
=NYax
-----END PGP SIGNATURE-----
--==_Exmh_-1357586064P--
