On Fri, Jul 10, 2015 at 12:05:50PM +1000, Mark Andrews wrote:
In message <011d01d0bab1$e7890a00$b69b1e00$@gmail.com>, "Chuck Church" writes:
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Jared Mauch Sent: Thursday, July 09, 2015 9:08 AM To: Colin Johnston Cc: nanog@nanog.org Subject: Re: Possible Sudden Uptick in ASA DOS?
My guess is a researcher.
I wouldn't classify someone sending known malicious traffic towards someone else's network device attempting to crash it as a 'researcher'. Criminal is a better term.
Chuck
At what point does a well formed but bug triggering packet go from "malicious" to "expected"?
Don't know. Lets say it was something else. i've seen well formatted things that crash BIND. When posting to bind-users list it caused people to wonder why I didn't contact the security team first. The ASA is mostly a black box, it could be any number of things from a kernel bug to IPSEC, SSH, etc.. that trigger the issue. I would say malformed packets are common. I saw trafic coming from a specific employee home link ending up corrupted when reaching our SIP server. The result was it would crash as the malformed SIP was improperly parsed. The root cause? The wireless link connecting the employee to a local water tower was taking errors and the UDP checksums still matched with the corruption. http://downloads.asterisk.org/pub/security/AST-2011-009.html Either way see above where i said it's a guess, I have no direct personal knowledge. I'm guessing someone running a honeypot or darknet would have packets from the researcher types. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.