Just for fun we hit an old AGS+ router with 10.2(4) code on it.. Apparently older code is vulnerable too.. So.. everyone running AGS+'s in the core, beware.. *grin* On Fri, 2003-07-18 at 11:34, Jason Frisvold wrote:
Ok, update to my testing :
On Fri, 2003-07-18 at 10:48, Jason Frisvold wrote:
Hi all,
First post.. I hope this is ok ...
We tested the Cisco vulnerability and I wanted to share our results with you ... <SNIP> Testing scenario is this :
Linux Machine (10.0.0.2/24) Cisco 2514 Ethernet0 (10.0.0.1/24) is in from the attacker Ethernet1 (192.168.0.1/24) is output to the 2501 Cisco 2501 Ethernet0 (192.168.0.2/24) is in from the 2514 <SNIP>
Firstly, HPing (www.hping.org) can craft the packets required for this attack very simply... I won't post the exact command string, but it's not that hard to figure out... And with HPing, you can easily take down an interface in under a second.
Now, on to ACL testing...
3 ACL tests just to make sure we had everything correct ... We first tried the any any ACL that Cisco recommends :
access-list 101 deny 53 any any access-list 101 deny 55 any any access-list 101 deny 77 any any access-list 101 deny 103 any any access-list 101 permit ip any any
This produced expected results. When placed on the interface, it prevented the router from being attacked.
Next, we tried an ACL with just the interface IP in it :
access-list 101 deny 53 any host 10.0.0.1 access-list 101 deny 55 any host 10.0.0.1 access-list 101 deny 77 any host 10.0.0.1 access-list 101 deny 103 any host 10.0.0.1 access-list 101 permit ip any any
We applied this to the Ethernet0 interface on the 2514. Attacks to that IP were prevented as expected.
Attacks through to the 2501 were not blocked, again as expected.
And finally, attacks to the ethernet1 interface on the 2514, which passes through the ethernet0 interface, still caused the ethernet0 interface to be attacked.
And the last test was an ACL containing all of the IP's on the router:
access-list 101 deny 53 any host 10.0.0.1 access-list 101 deny 55 any host 10.0.0.1 access-list 101 deny 77 any host 10.0.0.1 access-list 101 deny 103 any host 10.0.0.1 access-list 101 deny 53 any host 192.168.0.1 access-list 101 deny 55 any host 192.168.0.1 access-list 101 deny 77 any host 192.168.0.1 access-list 101 deny 103 any host 192.168.0.1 access-list 101 permit ip any any
This blocked all attacks on the 2514 while still allowing attacks through to the 2501.. This is as expected.
Also, another note. Loopback interfaces, while not vulnerable themselves, make it much easier to completely take out routers.. (We're assuming that the device is still vulnerable) If the attacker has the loopback of the router, they can run an attack at that interface. Every input interface will be attacked in succession. As each interface goes down and the traffic re-routed, the next interface will fall under attack.
Just be sure to add the loopback IP as part of the ACL ... :) --
Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering friz@corp.ptd.net RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --------------------------- "Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world." -- Albert Einstein [1879-1955]