North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Working vulnerability? (Cisco exploit)

  • From: Ben Buxton
  • Date: Fri Jul 18 10:17:19 2003

Yep its all a bit weird, I guess people are not too knowledgeable about
it. For starters the original explit wont work very well out of the box
for most script kiddies (random source addresses -> killed by
anti-spoofing),
and a single packet to a vulnerable box isnt enough (need to fill the
queue slots).

More of an annoyance really - most of the outages as a result are going
to
be from people upgrading boxes, not victims of attack.

BB

> -----Original Message-----
> From: [email protected] [mailto:[email protected]] 
> 
> On Fri, 18 Jul 2003, Ben Buxton wrote:
> 
> > It's released and it works - I have verified it in a lab here. 
> 
> And others are trying it in the field now.  I setup the recommended
> transit ACLs yesterday.  Starting at 9:25am EDT this morning, 
> those ACLs
> started getting hits.  What doesn't make sense to me is 
> according to the 
> advisory, the packets have to be destined for the router to 
> crash it (not 
> just passed through it), but people are attacking seemingly 
> random IPs, 
> including ones in a new ARIN block that have not yet been 
> assigned/used 
> for anything.  What do they think they're attacking?
> 
> ----------------------------------------------------------------------
>  Jon Lewis *[email protected]*|  I route
>  System Administrator        |  therefore you are
>  Atlantic Net                |  
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> 
>