Cisco Security Advisory TCP DoS

Published: 2009-09-08
Last Updated: 2009-09-09 11:10:09 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

ISC reader Kurt reported that Cisco has released an advisory affecting TCP State Manipulation which cause a Denial of Service that affect multiple Cisco Products. If an attacker send TCP connections forced into long-lived or indefinite state by preventing new TCP connections from being accepted, it could possibly cause a DoS indefinitely.

Additional information on the Cisco advisory is available here.

The following products are affected:

  • Cisco IOS-XE Software
  • Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected if they are configure with specific features
  • The version of Cisco NX-OS Software that is running on Cisco Nexus 5000 and 7000 series devices
  • Scientific Atlanta customers are instructed to contact Scientific Atlanta's Technical Support for questions regarding the impact, mitigation and remediation of the vulnerabilities
  • Customers with Linksys products should contact Linksys security for questions regarding the impact, mitigation and remediation of the vulnerabilities

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org


In addition to the Cisco advisory there is some additional information and response to the issue from other vendors here ==>  - M

Keywords: Cisco DoS
1 comment(s)


According to the advisory, 'A device running Cisco IOS Software that is under attack will have numerous hung TCP connections in the FINWAIT1 state.'

I believe this is the issue presented in Phrack #66 and mentioned here in diary #6574 ( ). If I remember rightly, the attacker sends TCP ACKs every few minutes or so with 'win 0' which I think you can match in Linux iptables with '-m u32 --u32 0x20&0xffff=0x0', eg. for LOGging, or even DROPping (which would allow the connection to time out and reset, preventing the attack).

Diary Archives