North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Cisco Vulnerability Testing Results
Just for fun we hit an old AGS+ router with 10.2(4) code on it.. Apparently older code is vulnerable too.. So.. everyone running AGS+'s in the core, beware.. *grin* On Fri, 2003-07-18 at 11:34, Jason Frisvold wrote: > Ok, update to my testing : > > On Fri, 2003-07-18 at 10:48, Jason Frisvold wrote: > > Hi all, > > > > First post.. I hope this is ok ... > > > > We tested the Cisco vulnerability and I wanted to share our results > > with you ... > <SNIP> > > Testing scenario is this : > > > > Linux Machine (10.0.0.2/24) > > Cisco 2514 > > Ethernet0 (10.0.0.1/24) is in from the attacker > > Ethernet1 (192.168.0.1/24) is output to the 2501 > > Cisco 2501 > > Ethernet0 (192.168.0.2/24) is in from the 2514 > <SNIP> > > Firstly, HPing (www.hping.org) can craft the packets required for this > attack very simply... I won't post the exact command string, but it's > not that hard to figure out... And with HPing, you can easily take down > an interface in under a second. > > Now, on to ACL testing... > > 3 ACL tests just to make sure we had everything correct ... We first > tried the any any ACL that Cisco recommends : > > access-list 101 deny 53 any any > access-list 101 deny 55 any any > access-list 101 deny 77 any any > access-list 101 deny 103 any any > access-list 101 permit ip any any > > This produced expected results. When placed on the interface, it > prevented the router from being attacked. > > Next, we tried an ACL with just the interface IP in it : > > access-list 101 deny 53 any host 10.0.0.1 > access-list 101 deny 55 any host 10.0.0.1 > access-list 101 deny 77 any host 10.0.0.1 > access-list 101 deny 103 any host 10.0.0.1 > access-list 101 permit ip any any > > We applied this to the Ethernet0 interface on the 2514. Attacks to that > IP were prevented as expected. > > Attacks through to the 2501 were not blocked, again as expected. > > And finally, attacks to the ethernet1 interface on the 2514, which > passes through the ethernet0 interface, still caused the ethernet0 > interface to be attacked. > > And the last test was an ACL containing all of the IP's on the router: > > access-list 101 deny 53 any host 10.0.0.1 > access-list 101 deny 55 any host 10.0.0.1 > access-list 101 deny 77 any host 10.0.0.1 > access-list 101 deny 103 any host 10.0.0.1 > access-list 101 deny 53 any host 192.168.0.1 > access-list 101 deny 55 any host 192.168.0.1 > access-list 101 deny 77 any host 192.168.0.1 > access-list 101 deny 103 any host 192.168.0.1 > access-list 101 permit ip any any > > This blocked all attacks on the 2514 while still allowing attacks > through to the 2501.. This is as expected. > > Also, another note. Loopback interfaces, while not vulnerable > themselves, make it much easier to completely take out routers.. (We're > assuming that the device is still vulnerable) If the attacker has the > loopback of the router, they can run an attack at that interface. Every > input interface will be attacked in succession. As each interface goes > down and the traffic re-routed, the next interface will fall under > attack. > > Just be sure to add the loopback IP as part of the ACL ... :) -- --------------------------- Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering [email protected] RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --------------------------- "Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world." -- Albert Einstein [1879-1955] Attachment:
signature.asc
|