RE: Working vulnerability? (Cisco exploit)
Yep its all a bit weird, I guess people are not too knowledgeable about it. For starters the original explit wont work very well out of the box for most script kiddies (random source addresses -> killed by anti-spoofing), and a single packet to a vulnerable box isnt enough (need to fill the queue slots). More of an annoyance really - most of the outages as a result are going to be from people upgrading boxes, not victims of attack. BB
-----Original Message----- From: jlewis@lewis.org [mailto:jlewis@lewis.org]
On Fri, 18 Jul 2003, Ben Buxton wrote:
It's released and it works - I have verified it in a lab here.
And others are trying it in the field now. I setup the recommended transit ACLs yesterday. Starting at 9:25am EDT this morning, those ACLs started getting hits. What doesn't make sense to me is according to the advisory, the packets have to be destined for the router to crash it (not just passed through it), but people are attacking seemingly random IPs, including ones in a new ARIN block that have not yet been assigned/used for anything. What do they think they're attacking?
---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
B.Buxton@Planettechnologies.nl ("Ben Buxton") writes:
For starters the original explit wont work very well out of the box for most script kiddies (random source addresses -> killed by anti-spoofing)
Please put a ":-)" in when you're being humourous. That one was subtle enough that I just about laughed coffee out my nose. For the record, script kiddies (and others) encounter no significant blockage when using random source addresses. I'd estimate than less than a tenth of a percent (that's 0.1%) of edge paths use RPF, even though BCP38 states the case clearly and the technology makes it easy and there are plenty of recipes and examples available. For a truly stunning example, consider that one of the low-end members of the f-root cluster has gone 60 days since its counters were last cleared, yet... #sfo2b.f:i386# ipfw show ... 00400 39787994 2630377143 deny ip from 10.0.0.0/8 to any in 00500 38090617 2460350048 deny ip from 172.16.0.0/12 to any in 00600 24926636 1658950280 deny ip from 192.168.0.0/16 to any in ... ...it has received almost 7GBytes of rfc1918-sourced traffic in that time. I don't mean by that example to support my 0.1% assertion, but rather to show that far from filtering not-theirs on ingress, the vast majority of providers can't even filter not-anybodys on egress -- an easier problem! Don't underestimate script kiddies. If you leave a door wide open, they WILL walk through. -- Paul Vixie
Paul Vixie wrote:
I'd estimate than less than a tenth of a percent (that's 0.1%) of edge paths use RPF, even though BCP38 states the case clearly and the technology makes it easy
"Makes it easy" if you live in an Internet with a number of routes significantly less than the limit imposed for having stable RPF enabled on your devices, or have devices without bugs in RPF checking when said limit is spotted vaguely across the horizon. I dont seem to be in either of those places. (Although I have not sacrificed a router in the last upgrade version or two to see if things have improved.)
] Please put a ":-)" in when you're being humourous. That one was subtle ] enough that I just about laughed coffee out my nose. Coffee abuse! Coffee abuse! :) Well said, re: RFC1918 and filtering. For those of you looking to automate some of your filtering, please visit the Bogon Route-Server Project page: <http://www.cymru.com/BGP/bogon-rs.html> It isn't perfect, but it does help. Suggestions and feedback are always welcome! ] Don't underestimate script kiddies. If you leave a door wide open, they ] WILL walk through. Indeed. It's amazing how folks continue to dismiss the script kiddies while I've seen those same script kiddies "own" over 500K devices since 01 JAN 2003. What a bunch of lamers, they should have owned 1M devices by now, eh? :| -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
participants (4)
-
Ben Buxton -
Paul Vixie -
Rob Thomas -
Steve Francis