North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: TCP-ACK vulnerability (was RE: SSH on the router)
On Wed, 9 Jun 2004, Alexei Roudnev wrote: > > This is minor exploit - usually you set up VLAN1 interface with IP addres, 'usually' doesn't cover everyone, and some people didn't think ahead or realize that they might have a problem with this :( > which is filterd out from outside. Moreover, there is not any good way to > find switch IP - it is transparent for user's devices. > dns is your friend here :( People love to name things such that they are easy to remember. cat5500.floor2.build3.you.com > > > > > On Mon, 7 Jun 2004, McBurnett, Jim wrote: > > > Aside from that, Use ACL's out the wazoo on the VTY lines and limit > access to > > > that to say 1 SSH enabled router or 1 IPSEC enabled router... > > > > It doesn't really matter if you use SSH, Telnet or HTTP; if you can send > > evil packets to the router/switch and it falls over and dies. > > > > http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml > > > > IP Permit Lists will not provide any mitigation against this > vulnerability. > > > > The race is on, who will find your switches first? > > >
|