[71164] in North American Network Operators' Group
Re: TCP-ACK vulnerability (was RE: SSH on the router)
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Thu Jun 10 11:27:15 2004
Date: Thu, 10 Jun 2004 15:26:35 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@mci.com>
In-reply-to: <064f01c44eb4$bd102c10$6401a8c0@alexh>
To: Alexei Roudnev <alex@relcom.net>
Cc: Sean Donelan <sean@donelan.com>, nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 9 Jun 2004, Alexei Roudnev wrote:
>
> This is minor exploit - usually you set up VLAN1 interface with IP addres,
'usually' doesn't cover everyone, and some people didn't think ahead or
realize that they might have a problem with this :(
> which is filterd out from outside. Moreover, there is not any good way to
> find switch IP - it is transparent for user's devices.
>
dns is your friend here :( People love to name things such that they are
easy to remember. cat5500.floor2.build3.you.com
>
> >
> > On Mon, 7 Jun 2004, McBurnett, Jim wrote:
> > > Aside from that, Use ACL's out the wazoo on the VTY lines and limit
> access to
> > > that to say 1 SSH enabled router or 1 IPSEC enabled router...
> >
> > It doesn't really matter if you use SSH, Telnet or HTTP; if you can send
> > evil packets to the router/switch and it falls over and dies.
> >
> > http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml
> >
> > IP Permit Lists will not provide any mitigation against this
> vulnerability.
> >
> > The race is on, who will find your switches first?
> >
>
