Re: cisco local director DOS.

From: Jeremy M. Guthrie (guthrieat_private)
Date: Tue Jul 24 2001 - 19:58:37 PDT

Next message: Chad Loder: "Re: multiple vendor telnet daemon vulnerability"

Previous message: Paul Rogers: "RE: multiple vendor telnet daemon vulnerability"
In reply to: Bill Robbins: "cisco local director DOS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday 23 July 2001 17:43, you wrote:
> Bugtraq,
>
> If your Cisco local directors are configured to do all port mappings (0:0)
> and not port-bound virtuals (port-to-port mappings), you can easily DOS
> the local director by causing the "no answer reassign" to surpass its
> default threshold counter of 8.
> By port scanning a 0:0 VIP where the real servers are not listening
> to all ports, you can easily cause the "no answer reassign" counter to
> surpass the threshold which takes the real machine out of service.

Couple things:
A)  yes, pounding non-answering ports on a wildcard LocalDirector 
virtual/real definition can cause the virtual/real to go down.
B)  No one in their right mind should setup a 0:0:tcp/0:0:udp real/virtual 
and NOT have a firewall in front of it.
C)  Autounfail   <-main point
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/localdir/ldv42/421guide/42ch05.htm#xtocid856512
Autounfail should keep busy sites up and running.  As long as data is getting 
served, the 'failed' real should come back in service.

In any case, I'm not sure this warrants a bugtraq notice.  If someone has 
configured a LocalDirector in a obviously dangerous matter such as the thread 
describes, odds are they don't understand bugtraq.  Anyway, It's like saying 
the following is dangerous on a Pix:
conduit permit ip any any

Sure it lets hosts communicate but... who in their right mind would use 
it?!?!?!?

>
> During non-peak times when the amount of valid connections coming in
> are limited, the threshold does not reset itself in time.  Once you have
> done this with all real servers in the VIP, the VIP will be unresponsive.
> You must reset the VIP to make it active again.  This could be a harmful
> DOS on larger sites that have not configured their LDs correctly.
>
> I have spoken to Cisco, they do relize the possibility of a DOS.
> They recommend that people use port-bound virtuals, otherwise ensure
> that your VIPs are firewalled in front of the LD.  Cisco noted they did
> not see any special notes regarding security implications of not using
> port-bound virtuals in their latest documentation.
>
> This is just an FYI as local directors have a significant share of the
> content switching market.  This could also be a tough one to troubleshoot.

-- 
Jeremy M. Guthrie
Systems Engineer
Berbee
5520 Research Park Dr.
Madison, WI  53711
Phone:  608-298-1061

Berbee...putting the "E" in business

Next message: Chad Loder: "Re: multiple vendor telnet daemon vulnerability"
Previous message: Paul Rogers: "RE: multiple vendor telnet daemon vulnerability"
In reply to: Bill Robbins: "cisco local director DOS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 12:20:41 PDT