ISC reader Kurt reported that Cisco has released an advisory affecting TCP State Manipulation which cause a Denial of Service that affect multiple Cisco Products. If an attacker send TCP connections forced into long-lived or indefinite state by preventing new TCP connections from being accepted, it could possibly cause a DoS indefinitely. Additional information on the Cisco advisory is available here. The following products are affected:
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org UPDATE In addition to the Cisco advisory there is some additional information and response to the issue from other vendors here ==> https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html - M |
Guy 491 Posts ISC Handler Sep 8th 2009 |
Thread locked Subscribe |
Sep 8th 2009 1 decade ago |
According to the advisory, 'A device running Cisco IOS Software that is under attack will have numerous hung TCP connections in the FINWAIT1 state.'
I believe this is the issue presented in Phrack #66 and mentioned here in diary #6574 ( http://isc.sans.org/diary.html?storyid=6574 ). If I remember rightly, the attacker sends TCP ACKs every few minutes or so with 'win 0' which I think you can match in Linux iptables with '-m u32 --u32 0x20&0xffff=0x0', eg. for LOGging, or even DROPping (which would allow the connection to time out and reset, preventing the attack). |
Anonymous |
Quote |
Sep 8th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!