North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco vulnerability and dangerous filtering techniques

  • From: Chris Lewis
  • Date: Tue Jul 22 11:43:58 2003

Austad, Jay wrote:
I was thinking about this the other day.  The most efficient way to make
this work would be to spread using some vulnerability (like the Microsoft
DCOM vulnerability released last week), and then at a predetermined time,
start DoS'ing routers in the IP space of major providers, and then work your
way towards the "edges."  You can pretty much safely assume that most of
your infected machines are going to basically be on the edges of the
internet, so if you start with major providers, you won't kill all of your
connectivity.  Even more destructive would be p2p built into it, so all of
the infected hosts could coordinate before the attack on what networks each
one would handle.
Imagine generalizing that to phases - build a virus that uses several different modes of propagation to different platforms - virulent, but not too violent (ie: not like SQL slammer), then phase it to DOS various services, including the routers.

You might come in one morning to find your entire network infested with a multi-phasic virus which has destroyed whatever it could, DDOS'd everything it couldn't, and big chunks of your network are dead. On multiple platforms simultaneously.

You're in a mode where everything has to be unplugged, and scrubbed before reconnecting.


SQL slammer was inadvertently almost there. We're not an SQL shop, but a few machines here and there had it enabled for one reason or another. The propagation flood itself was so violent it took out non-Windows services.