On Thu, 17 Jul 2003, Jeremy Junginger wrote: > Were you able to obtain any additional information about exactly what type of > packets (and sequence) does this? It would make the ACL a lot cleaner. :-) According to the update Cisco released this afternoon, the evil packets may be any of the following protocols: IP Protocol 53 -- SWIPE -- a network-layer encrypted encapsulation protocol for IP; pre-dates IPsec and seems not to have been widely implemented IP Protocol 55 -- IP Mobility -- a minimal encapsulation scheme developed to modify routing for IP datagrams IP Protocol 77 -- Sun Network Disk boot protocol -- a temporary protocol assignment that predates the invention of the Network File System in 1984. IP Protocol 103 -- Protocol Independent Multicast (PIM) -- a multicast routing protocol designed to thrive in sparsely populated wide area networks, and the only one of the vulnerable protocols that appears to still be in active use and development. ---> of course, cos none of us run obsolete protocols, the only one of these that should still be used in production environments is IP/103. so DoS attacks on any of the other three can be detected with IDS signatures for IP/53, IP/55, and IP/77. and a sensible "deny all" access control list will prevent any of these from hitting vulnerable systems. information on the detailed structure of the evil packets in these protocols is not yet public AFAIK. as jim duncan pointed out, the advisory can be reached without a login required at http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml cheers -- tbird -- A computer lets you make more mistakes faster than any invention in human history - with the possible exception of handguns and tequila. -- Mitch Ratliff http://www.precision-guesswork.com Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com tbird's Security Alerts http://securecomputing.stanford.edu/alert.html ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 10:46:27 PDT