-----Original Message-----
From: John Bashinski [SMTP:jbash@CISCO.COM]
Sent: Friday, November 21, 1997 4:38 PM
To: BUGTRAQ@NETSPACE.ORG
Subject: Field Notice: TCP loopback DoS Attack (land.c) and Cisco Devices
-----BEGIN PGP SIGNED MESSAGE-----
Field Notice:
TCP loopback DoS Attack (land.c) and Cisco Devices
November 21, 1997, 14:00 AM US/Pacific, Revision 1
- --------------------------------------------------
Summary
- -----
Somebody has released a program, known as land.c, which can be used to launch
denial of service attacks against various TCP implementations. The program
sends a TCP SYN packet (a connection initiation), giving the target host's
address as both source and destination, and using the same port on the target
host as both source and destination.
Classic IOS software (used on Cisco routers with product numbers greater than
1000, on the CGS/MGS/AGS+, and on the CS-500) is moderately vulnerable to this
attack. For some IOS versions, if the attack is launched against a TCP port
that is actually listening (say the TELNET port), then invalid connection data
will be created, preventing further legitimate connections for approximately 30
seconds. High CPU loads may result on some IOS versions. We observed a complete
hang on one 11.5 system, but have been unable to reproduce that failure. Based
on very preliminary data, the router's packet forwarding functions are not
generally affected.
IOS/700 (used on Cisco 7xx routers) is also vulnerable. The 7xx vulnerability
is more devastating than the classic IOS vulnerability, but probably less
dangerous for most customers, since firewalls separate most 7xx routers from
the Internet.
The PIX firewall appears does not appear to be affected. Initial testing of the
Centri firewall tends to indicate that it is not affected.
We're working on characterizing other products' vulnerability to attack.
Updates will be issued as information becomes available.
Who is Affected
- -------------
All IOS and IOS/700 systems that can be reached via TCP from untrusted hosts
are affected, provided that the reachable TCP ports are ports on which IOS
ordinarily provides service. The attack requires spoofing the targets's own
address, so systems behind effective anti-spoofing firewalls are safe.
Impact
- ----
Classic IOS systems may experience slowdowns while under active attack. On IOS
software versions earlier than 11.2(4), new TCP connections will fail for a
period of about 30 seconds after any attack packet is received. IOS versions
later than 11.2(4), or that contain the fix for bug ID CSCdi87533, may
experience slowdowns, but should continue to accept new TCP connections . Most
IOS versions appear to recover completely within a few minutes of the attack
stopping, but we have not yet fully characterized the effect on all IOS
versions. One complete failure was observed; the version was 11.1(5). A
configuration workaround for classic IOS can prevent the problem entirely,
subject to performance restrictions.
IOS/700 systems subjected to the attack will hang indefinitely and must be
physically reset. A configuration workaround for IOS/700 can prevent the
problem entirely.
Initial tests indicate that the PIX firewall is not vulnerable to this attack.
Tests have been conducted with version 4.1.3.245 and 4.0.7.
Initial tests indicate that the Centri firewall (build 4.110) is not
vulnerable to this attack with no exposed service configured. We have not yet
tested the Centri product with exposed services.
Workaround for Classic IOS
- ------------------------
Classic IOS users can use input access lists on their interfaces to prevent the
attack packets from entering their TCP stacks. This will prevent the attack
entirely, but may have unacceptable performance impacts on heavily loaded
high-end routers. Traffic will still be fast-switched, but higher-speed
switching modes may be disabled. It should be tried with care.
If you have no existing input access lists, create a new IP extended access
list. Use a presently-unused number between 100 and 199. The access list must
have an entry for each of the IP address configured on the system.
Deny packets from each address to itself. For example:
access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
If you have existing access lists, you'll need to merge the new entries in an
appropriate way, generally at the top of the list. The access list should be
applied incoming on all interfaces, so a fragment of a total router
configuration might look like this:
interface ethernet 0
ip address 1.2.3.4 255.255.255.0
ip access-group 101 in
!
interface ethernet 1
ip address 5.6.7.8
ip access-group 101 in
!
access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Workaround for IOS/700
- --------------------
Add the following configuration command to any profile that may be active when
connected to potentially hostile network:
set ip filter tcp in source <7xx IP address> destination <7xx IP address> block
Using Cisco Products to Protect Other Systems
- -------------------------------------------
We do not believe that this attack can be used against systems behind our
dedicated firewall products, the PIX and Centri firewalls, unless
general-purpose tunnels have been enabled through the firewalls.
Properly designed anti-spoofing access lists at border routers can be used to
prevent the attack from entering a private network from the Internet. Use the
access lists to filter out packets whose IP source addresses are on your
internal net, but which are arriving from interfaces connected to the outside
Internet.
Exploitation and Public Announcements
- -----------------------------------
Cisco has had multiple reports of this vulnerability.
Most exploitation seems to be using the original program, which sends one
packet at a time. Floods of invalid packets have not been reported.
This issue has been widely discussed in a variety of Internet fora.
Cisco first heard of this problem on the morning of Friday, November 21.
Distribution of this Notice
- -------------------------
This notice is being sent to the following Internet mailing lists and
newsgroups:
* cisco@spot.colorado.edu
* comp.dcom.sys.cisco
* bugtraq@netspace.org
* first-teams@first.org (includes CERT/CC)
* nanog@merit.edu
Updates will be sent to some or all of these, as appropriate.
This notice will be posted in the "Field Notices" section of Cisco's
Worldwide Web site, which can be found under "Technical Tips" in the
"Service and Support" section. The URL will be
http://www.cisco.com/warp/public/770/land-pub.shtml
The copy on the Worldwide Web will be updated as appropriate.
Cisco Security Procedures
- -----------------------
Please report security issues with Cisco products to
security-alert@cisco.com.
This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
redistributed freely provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBNHYMogyPsuGbHvEpAQHojQgAtU3nEwtn+2Xg8W8jLTcCIiF+q0oFhmMS
Z54T67xooTmsWbLzv409AYR73G/TbsNgflzQZa8amAXbz6EIUlzaYqJdHB2B7FsH
GFh8c7VFZZ7zp9r9UVJJYjSYwRENLpDaKb5kx//zOFF/9eh4G95cJ6zMMLukSreJ
MAA+5xc23SV+fpk+AmxEzWifAYoIz9KRsK0/GTHA93F17MZEvTIauVf3VxD8DSHV
zA7ndUNuxH0rg2oGOok4XbiBSSXK3glkkCAkJ0OzGEPt7RZ1EcJ+TpTJpETu+F7z
0XyJXF25TxoMAu8MmmM4IQvRtZzM0PGCA6X3XErg6wiUFJL1JFpejQ== =SkPH -----END PGP
SIGNATURE-----
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.