Re: CR vs. CoreBuilder

From: Bryan Andersen (bryanat_private)
Date: Mon Aug 06 2001 - 10:56:58 PDT

Next message: Gareth Hastings: "RE: CRv2 multiple scans from same source IP"

Previous message: Kee Hinckley: "Re: How to obtain a complete list of CR2 compromised hosts"
In reply to: GraffiX: "Re: CR vs. CoreBuilder"
Next in thread: Homer Wilson Smith: "Re: CR vs. CoreBuilder"
Next in thread: cordsat_private-frankfurt.de: "Re: CR vs. CoreBuilder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I don't know what type of setup your Cisco 675 has for routing 
traffic to you.  I'm using a routed subnet in ppp mode.  I have 
the web interface disabled, restricted to a dummy IP address, 
and the port set to a different number.  I selected an unused 
low number port from IANA TCP port lists.  The only reboot I've 
had to do was on July 19th when the configuration didn't yet 
have the web port changed and IP address restriction set.  I'm 
running CBOS 2.1.?. 

GraffiX wrote:
> 
> The only way I was able to keep the 675 from requiring a power recycle was
> to set a filter to disable incoming port 80 altogether.  If you're not
> running a webserver behind the router, disabling the web interface and
> changing the "webserver" port to something other than 80, both on the 675,
> will work fine.  Unfortunately, anything that listens on port 80 BEHIND the
> 675 that responds WILL crash the 675, regardless of what you do to the web
> service on the 675.  Apparently, the deny all incoming port 80 filter
> prevents the router from evaluating the packet(s), preventing the
> crash.  Short of that, it seems we're SOL until Cisco fixes this shit.
> 
> I tested this by making sure the web interface was disabled, and changed
> the default port it would listen on to (59059).  then turned off filter I'd
> set to prevent the traffic entirely, allowing it through to my web server
> on port 80, and within 1/2 hr, I had 6 CR probes (logged on my webserver),
> and the 675 had crashed.  Turning the incoming port 80 denied filter back
> on once again prevented the crash, and has continued to prevent any crashing.

Try also setting the web server to be restricted to a bogus IP address.  
You could set it listen only to some 10 net address.

> Good thing my webserver isn't critical, though I suspect there are plenty
> of folks who require their webservers to be alive behind their 675...small
> business customers, etc...

A number of systems I touch often are having sporatic outtages.  I'd 
try them and I wouldn't get replies back and 5 to 10 minutes latter 
they are reachable again.

What I'm wondering is how many of the bigger Cisco routers (and other 
types) are crashing taking hole segments of the net off line?

-- 
|  Bryan Andersen   |   bryanat_private   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Gareth Hastings: "RE: CRv2 multiple scans from same source IP"
Previous message: Kee Hinckley: "Re: How to obtain a complete list of CR2 compromised hosts"
In reply to: GraffiX: "Re: CR vs. CoreBuilder"
Next in thread: Homer Wilson Smith: "Re: CR vs. CoreBuilder"
Next in thread: cordsat_private-frankfurt.de: "Re: CR vs. CoreBuilder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:05:22 PDT