RE: SNMP scans, DoS and a VIP crash

From: Tyrannis Von Nettesheim (tyrannisat_private)
Date: Wed Dec 26 2001 - 08:05:46 PST

  • Next message: Omar Koudsi: "RE: Request For Hack !"

    Cisco VIPxx cards run, essentially, their own code, which is bundled inside
    of IOS versions. The VIP concept and implementation has been known for years
    to be notoriously twitchy, requiring good code scrubs to mate the desired
    feature-set to the most stable version of code. This is something you just
    may want to do internally and/or with your customers with some Cisco TAC
    help. The code recommendations for GD (General Deployment) code are solid,
    but often don't deal with particular corner-case hardware or feature-set
    issues.
    
    I could foresee circumstances where a stream of walks through the SNMP tree
    in a DoS fashion could crash a card, and I've seen products have issues with
    the SNMP PDU-packing query style where more modern monitoring systems will
    pack a bunch of SNMP queries into a single packet, and some buggy code has
    issues unpacking those. This issue was resolved years in the past, but I
    still see crop up @ client sites not keeping current with code.
    
    If it's a 7513, you're running a nice fairly beefy processor, and if your
    traffic flows are low enough or you have more recent code, have the client
    or your router squelch out SNMP on the appropriate interfaces with an ACL or
    similar strategy, and log it. You should be afraid of loading the CPU here -
    unless you're running the proper code and hardware, ACL traffic is directly
    processed by the RSP's CPU. If you have 6500's with later code "above" where
    the 7513 is, you'll find a better strategy there in temporarily inserting an
    ACL structure since it can be hardware switched on that platform.
    
    Otherwise, get a sniffer out there, find the traffic path, and examine the
    SNMP requests, looking particularly for the GET-NEXT stuff, and see if
    you've got someone trying to walk the entire SNMP tree on the device, or
    someone looking for something particular.
    
    -T
    
    -----Original Message-----
    From: Kneppers [mailto:kneppermat_private]
    Sent: Monday, December 24, 2001 12:01 PM
    To: incidentsat_private
    Subject: SNMP scans, DoS and a VIP crash
    
    
    Hi
    
    I had an incident on the weekend. Detected a lot of SNMP authorization
    failures to my router from a customer for about 2 days, terminating in an
    inbound DoS attack (SYN-flood) targetting the customer.
    
    I suspect the customer machine is compromised and used for scanning ..
    maybe running an IRC bot as well, which caused the focused DoS attack.
    
    The bit I'm curious about is that the exact same interface on my router
    experienced some VIP crashes (device is a Cisco 7513) during the same
    time, and often times very close to the scans. We've had other problems
    with VIP crashes on the 7513, but I'm always suspicious when associated
    with malicious activity.
    
    Anybody seen similar activity where a scan or DoS takes out a card?
    Possibly a scanning tool generating funny packets?
    
    Thanks for any info
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Dec 26 2001 - 16:49:40 PST