[71132] in North American Network Operators' Group
TCP-ACK vulnerability (was RE: SSH on the router)
daemon@ATHENA.MIT.EDU (Sean Donelan)
Wed Jun 9 15:18:37 2004
Date: Wed, 9 Jun 2004 15:15:42 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: nanog@merit.edu
In-Reply-To: <9BF6F06C4BC90746ADD6806746492A33E93DDC@msmmail01.msmgmt.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 7 Jun 2004, McBurnett, Jim wrote:
> Aside from that, Use ACL's out the wazoo on the VTY lines and limit access to
> that to say 1 SSH enabled router or 1 IPSEC enabled router...
It doesn't really matter if you use SSH, Telnet or HTTP; if you can send
evil packets to the router/switch and it falls over and dies.
http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml
IP Permit Lists will not provide any mitigation against this vulnerability.
The race is on, who will find your switches first?
