[22208] in bugtraq
Re: UDP packet handling weird behaviour of various operating
daemon@ATHENA.MIT.EDU (Lisa Napier)
Fri Aug 10 21:46:45 2001
Message-Id: <4.3.2.7.2.20010810163748.034b0250@171.70.24.186>
Date: Fri, 10 Aug 2001 17:46:43 -0700
To: Stefan Laudat <stefan@ns.allianztiriac.ro>,
Michal Zalewski <lcamtuf@gis.net>
From: Lisa Napier <lnapier@cisco.com>
Cc: bugtraq@securityfocus.com, psirt@cisco.com
In-Reply-To: <20010726014804.B31276@allianztiriac.ro>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Hi Stefan,
Sorry to take so long to reply to this thread. Frankly, our team has been
busy with Code Red response activities, and didn't catch the Cisco
reference in your original post.
We've set this up in the lab, and don't see the same issues. I've worked
on a few UDP flood cases where the target server was definitely having
problems, but the IOS gear was just fine; that was what we were using to
troubleshoot the problem. Through traffic is what the box is designed to
handle.
I'd be interested to review your test configuration and topology; if this
is a legitimate problem we'd certainly like to fix it as quickly as
possible. Being a vendor, of course we'd really appreciate notification of
problems such as this prior to public posting. Additionally, as we simply
didn't see the reference to our products in your notification, we're a bit
embarrassed by the time lag in our response.
Thanks much,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
At 03:48 PM 7/25/2001, Stefan Laudat wrote:
> > Uh-huh. Tested it on Linux 2.2 and 2.4, can't confirm the problem. It
> > would be pretty strange, btw, since it simply generates normal UDP packet,
> > no black magic, really, and remote system, unless there's comast service
> > running, politely responds with 'ICMP destination port unreachable', which
> > is translated into 'Connection refused'.
>
>One extra thing I haven't underlined so well in my announce: cisco routers
>(and as well as other ones maybe) start crawling even forwarding the flood not
>being the target itself only. Looks like an UDP handling problem for me :(
>I have managed to kill a 7513 Cisco Router with DCEF enabled and loads of
>other speed hacks. Try it for yourself :)
>
>--
>Stefan Laudat
>CCNA,CCAI
>Senior Network Engineer
>Allianz-Tiriac SA
>
>"Let's call it an accidental feature."
> -- Larry Wall
