Widespread Router Access Port DoS

From: HD Moore (hdmooreat_private)
Date: Thu Feb 04 1999 - 09:05:31 PST

Next message: Andrew J. Gavin: "NOBO denial of service"

Previous message: der Mouse: "Re: No Security is Bad Security:"
Next in thread: Mr. joej: "Re: Widespread Router Access Port DoS"
Reply: Mr. joej: "Re: Widespread Router Access Port DoS"
Reply: John Bashinski: "Re: Widespread Router Access Port DoS"
Reply: System Grunt: "Re: Widespread Router Access Port DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

+--------[ Router Access Port DoS

The tcp access / configuration ports on most routers can be disabled
remotely.  These sit on port numbers like 23,2001,4001,6001, and 9001.
The attack simply consists of shoving a few thousand bytes of any
character down the connection, a couple times may be needed for some
routers, with the length of time of the DoS related to the amount of
bytes you send down the initial connection.  Some Cisco's would have to
be reset manually to fix this, others will recover by themselves given a
few minutes, hours, or days.  ComOS seems to be in the manual-reset
category, as I haven't found one yet that recovers from a 1 minute
attack onto thier access ports.  Normal operation continues, only in a
few freak cases did the router drop the entire network / reset
connections as a result.

The impact of this is that an administrator would need physical access
to reconfigure a router after an attack like this.  This is merely
annoying for those who have a rack in the closet, and a huge pain in the
ass for those 'remote' admins who may or may not be able to have someone
reset them for them. The fix would be to set your ACL's to deny access
to the configuration ports from outside your network.  Specific
information on affected IOS versions, code revisions, etc are not known
at this time.  If you would like to do some testing of your own and
share the results I will write up a summary  in a week or so.

The exploit is just pathetic, and may need 3-6 runs of varying lengths
to any substantial damage.  Shorter attacks result in shorter downtimes
for those ports, longer attacks do everything from locking the port out
until it is reset to crashing the router itself.  The one line bash$
exploit is: perl -e'print 0xFF x 10000' | telnet router.example.org 2001
. After disconnecting try to connect to that port again, it should say
connection refused.  While some routers will recover within 30 seconds
to 5 minutes, older models tend to take days to ??? to fix themsleves.

-HD

Next message: Andrew J. Gavin: "NOBO denial of service"
Previous message: der Mouse: "Re: No Security is Bad Security:"
Next in thread: Mr. joej: "Re: Widespread Router Access Port DoS"
Reply: Mr. joej: "Re: Widespread Router Access Port DoS"
Reply: John Bashinski: "Re: Widespread Router Access Port DoS"
Reply: System Grunt: "Re: Widespread Router Access Port DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:34 PDT