[21853] in bugtraq
Re: cisco local director DOS.
daemon@ATHENA.MIT.EDU (Jeremy M. Guthrie)
Wed Jul 25 15:25:13 2001
Content-Type: text/plain;
charset="iso-8859-1"
From: "Jeremy M. Guthrie" <guthrie@berbee.com>
Reply-To: guthrie@berbee.com
To: bugtraq@securityfocus.com, Bill Robbins <robbins@hostopia.com>
Date: Tue, 24 Jul 2001 21:58:37 -0500
In-Reply-To: <Pine.LNX.4.33.0107231756270.16657-100000@slim.hostopia.com>
MIME-Version: 1.0
Message-Id: <01072421583700.00305@plato>
Content-Transfer-Encoding: 8bit
On Monday 23 July 2001 17:43, you wrote:
> Bugtraq,
>
> If your Cisco local directors are configured to do all port mappings (0:0)
> and not port-bound virtuals (port-to-port mappings), you can easily DOS
> the local director by causing the "no answer reassign" to surpass its
> default threshold counter of 8.
> By port scanning a 0:0 VIP where the real servers are not listening
> to all ports, you can easily cause the "no answer reassign" counter to
> surpass the threshold which takes the real machine out of service.
Couple things:
A) yes, pounding non-answering ports on a wildcard LocalDirector
virtual/real definition can cause the virtual/real to go down.
B) No one in their right mind should setup a 0:0:tcp/0:0:udp real/virtual
and NOT have a firewall in front of it.
C) Autounfail <-main point
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/localdir/ldv42/421guide/42ch05.htm#xtocid856512
Autounfail should keep busy sites up and running. As long as data is getting
served, the 'failed' real should come back in service.
In any case, I'm not sure this warrants a bugtraq notice. If someone has
configured a LocalDirector in a obviously dangerous matter such as the thread
describes, odds are they don't understand bugtraq. Anyway, It's like saying
the following is dangerous on a Pix:
conduit permit ip any any
Sure it lets hosts communicate but... who in their right mind would use
it?!?!?!?
>
> During non-peak times when the amount of valid connections coming in
> are limited, the threshold does not reset itself in time. Once you have
> done this with all real servers in the VIP, the VIP will be unresponsive.
> You must reset the VIP to make it active again. This could be a harmful
> DOS on larger sites that have not configured their LDs correctly.
>
> I have spoken to Cisco, they do relize the possibility of a DOS.
> They recommend that people use port-bound virtuals, otherwise ensure
> that your VIPs are firewalled in front of the LD. Cisco noted they did
> not see any special notes regarding security implications of not using
> port-bound virtuals in their latest documentation.
>
> This is just an FYI as local directors have a significant share of the
> content switching market. This could also be a tough one to troubleshoot.
--
Jeremy M. Guthrie
Systems Engineer
Berbee
5520 Research Park Dr.
Madison, WI 53711
Phone: 608-298-1061
Berbee...putting the "E" in business
