[71133] in North American Network Operators' Group
Re: TCP-ACK vulnerability (was RE: SSH on the router)
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Wed Jun 9 16:19:40 2004
Date: Wed, 9 Jun 2004 21:19:11 +0100 (BST)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.58.0406091513220.19694@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 9 Jun 2004, Sean Donelan wrote:
> On Mon, 7 Jun 2004, McBurnett, Jim wrote:
> > Aside from that, Use ACL's out the wazoo on the VTY lines and limit access to
> > that to say 1 SSH enabled router or 1 IPSEC enabled router...
>
> It doesn't really matter if you use SSH, Telnet or HTTP; if you can send
> evil packets to the router/switch and it falls over and dies.
>
> http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml
>
> IP Permit Lists will not provide any mitigation against this vulnerability.
>
> The race is on, who will find your switches first?
yes, i often wondered why the permit list allows the session to connect then
gives you a polite message before disconnecting.
anyway this is only on catos..
Steve
