+--------[ Router Access Port DoS The tcp access / configuration ports on most routers can be disabled remotely. These sit on port numbers like 23,2001,4001,6001, and 9001. The attack simply consists of shoving a few thousand bytes of any character down the connection, a couple times may be needed for some routers, with the length of time of the DoS related to the amount of bytes you send down the initial connection. Some Cisco's would have to be reset manually to fix this, others will recover by themselves given a few minutes, hours, or days. ComOS seems to be in the manual-reset category, as I haven't found one yet that recovers from a 1 minute attack onto thier access ports. Normal operation continues, only in a few freak cases did the router drop the entire network / reset connections as a result. The impact of this is that an administrator would need physical access to reconfigure a router after an attack like this. This is merely annoying for those who have a rack in the closet, and a huge pain in the ass for those 'remote' admins who may or may not be able to have someone reset them for them. The fix would be to set your ACL's to deny access to the configuration ports from outside your network. Specific information on affected IOS versions, code revisions, etc are not known at this time. If you would like to do some testing of your own and share the results I will write up a summary in a week or so. The exploit is just pathetic, and may need 3-6 runs of varying lengths to any substantial damage. Shorter attacks result in shorter downtimes for those ports, longer attacks do everything from locking the port out until it is reset to crashing the router itself. The one line bash$ exploit is: perl -e'print 0xFF x 10000' | telnet router.example.org 2001 . After disconnecting try to connect to that port again, it should say connection refused. While some routers will recover within 30 seconds to 5 minutes, older models tend to take days to ??? to fix themsleves. -HD
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:34 PDT