[17896] in bugtraq
Re: Cisco 675 Denial of Service Attack
daemon@ATHENA.MIT.EDU (CDI)
Mon Dec 4 13:17:56 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.95.1001201142549.12039A-100000@animal.blarg.net>
Date: Fri, 1 Dec 2000 14:37:34 -0800
Reply-To: CDI <cdi@THEWEBMASTERS.NET>
From: CDI <cdi@THEWEBMASTERS.NET>
X-To: Shane Youhouse <Shane.Youhouse@GOODMANMFG.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <0315D0456448D4119BA80040F674F1B3428133@EXCH-HOU>
On Fri, 1 Dec 2000, Shane Youhouse wrote:
[snips]
> Did you ask CDI to help?
>
> Did he refuse?
Yes they did and no I didn't respectively. When they were unable to
replicate the problem I sent them the step-by-step used to configure the
675 for PPP. I even told them that if they wanted to set up a 675 and
provide me with the IP I'd be happy to crash it for them.
> CDI should have gone public with this about 10 1/2 months ago.
I'll swallow that and say you're absolutely correct, but...
> Yes, more script kiddies would have known about it, but I also would
> have been complaining to the ISPs who where forcing the Cisco product on
> us to either get a new product, or would have gone with a different ISP
> / Router.
I have on more than one occasion pounced all over slow-to-respond vendors
and Yes, I definitely sat on this far too long. Guilty as charged. Mea
Culpa.
In this case however, there was substantive dialog with Cisco and each
time over the months that I came close to disclosure, Cisco PSIRT would
let me know that they were still working hard on a fix. With the number of
vulnerable 67xs out there I felt that the uninformed and sometimes
uninformable masses using 67xs were better protected by non-disclosure.
As you noted, the DoS was in the wild, but you still couldn't search for
it on Packetstorm or SecurityFocus and hence, flying under the radar of
most script kiddies.
CDI
____________________________________
The Web Master's Net
http://www.thewebmasters.net/
Today's Excuse:
Failure to adjust for daylight savings time.
