Cisco VIPxx cards run, essentially, their own code, which is bundled inside of IOS versions. The VIP concept and implementation has been known for years to be notoriously twitchy, requiring good code scrubs to mate the desired feature-set to the most stable version of code. This is something you just may want to do internally and/or with your customers with some Cisco TAC help. The code recommendations for GD (General Deployment) code are solid, but often don't deal with particular corner-case hardware or feature-set issues. I could foresee circumstances where a stream of walks through the SNMP tree in a DoS fashion could crash a card, and I've seen products have issues with the SNMP PDU-packing query style where more modern monitoring systems will pack a bunch of SNMP queries into a single packet, and some buggy code has issues unpacking those. This issue was resolved years in the past, but I still see crop up @ client sites not keeping current with code. If it's a 7513, you're running a nice fairly beefy processor, and if your traffic flows are low enough or you have more recent code, have the client or your router squelch out SNMP on the appropriate interfaces with an ACL or similar strategy, and log it. You should be afraid of loading the CPU here - unless you're running the proper code and hardware, ACL traffic is directly processed by the RSP's CPU. If you have 6500's with later code "above" where the 7513 is, you'll find a better strategy there in temporarily inserting an ACL structure since it can be hardware switched on that platform. Otherwise, get a sniffer out there, find the traffic path, and examine the SNMP requests, looking particularly for the GET-NEXT stuff, and see if you've got someone trying to walk the entire SNMP tree on the device, or someone looking for something particular. -T -----Original Message----- From: Kneppers [mailto:kneppermat_private] Sent: Monday, December 24, 2001 12:01 PM To: incidentsat_private Subject: SNMP scans, DoS and a VIP crash Hi I had an incident on the weekend. Detected a lot of SNMP authorization failures to my router from a customer for about 2 days, terminating in an inbound DoS attack (SYN-flood) targetting the customer. I suspect the customer machine is compromised and used for scanning .. maybe running an IRC bot as well, which caused the focused DoS attack. The bit I'm curious about is that the exact same interface on my router experienced some VIP crashes (device is a Cisco 7513) during the same time, and often times very close to the scans. We've had other problems with VIP crashes on the 7513, but I'm always suspicious when associated with malicious activity. Anybody seen similar activity where a scan or DoS takes out a card? Possibly a scanning tool generating funny packets? Thanks for any info ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 26 2001 - 16:49:40 PST