did you log into the router? did you do a sh ver checking for uptime and possibly SegV errors -- when was it reload, why was it reload did anyone else on the network report any weirdness, connectivity issues before the Cisco vanishing act or was it just the router acting strangely? does the router permit anyone vty access? how is vty access granted? ssh, telnet? where is the router located? could someone have accidentally unplugged it or power cycled it? could the cleaning person have needed the outlet to run the vacuum =) before spending a million dollars why not first invest some time into first looking into the router and second possibly having someone on-site ping the router constantly and if/when it performs this act again have that person log in and attempt to see what the router is doing. just a few questions that come to mind --Keith -----Original Message----- From: Richard Bartlett [mailto:richard_bartlettat_private] Sent: Thursday, July 10, 2003 3:03 AM To: incidentsat_private Subject: Possible DOS on Cisco 2651 router? A client experienced an outage today on their Cisco 2651 router (IOS version IOS (tm) C2600 Software (C2600-I-M), Version 12.2(5d), RELEASE SOFTWARE (fc1). Pings to the router failed with either timout or TTL expired in transit messages from hops 2-3 upstream of the router. Tracerts would timeout on the serial interface. Investigations internally found machines just downstream of the router couldn't even ping the internal ethernet interface of the router. A power cycle did not solve the problem, and for some time the router would timeout for around 2-3 minutes, then respond for 1 minute, then timeout again. I was unable to get on site with Syslog/Ethereal/Snort etc. and by the time I was onsite the problem had stopped. Does this sound like a DOS attack? I can't think of any config/hardware problem that could cause symptoms like this, but I don't want to jump to conclusions. Tomorrow there will be a machine with RealSecure PC Protection, Snort, Kiwi Syslog Demon and Ethereal sitting there waiting! Cheers for any help provided. Richard ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 10 2003 - 13:19:12 PDT