(PM) DoS against ComOS

I don't work for Lucent RABU (livingston@iav.com)
Fri, 5 Feb 1999 13:14:40 -1000 (HST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Emmett Lewis: "Re: (PM) Up and down PRI, errors, show ISDN questions"
Previous message: I don't work for Lucent RABU: "Re: (PM) Fast Busy probably not a PM problem"

*note to support at LRABU, no response necessary to this message*

reference todays bugtraq mail list...
www.geek-girl.com has archives in case your interested.

Date: Thu, 4 Feb 1999 11:05:31 -0600
From: HD Moore <hdmoore@USA.NET>
To: BUGTRAQ@netspace.org
Subject: Widespread Router Access Port DoS

+--------[ Router Access Port DoS

The tcp access / configuration ports on most routers can be disabled
remotely. These sit on port numbers like 23,2001,4001,6001, and 9001.
The attack simply consists of shoving a few thousand bytes of any
character down the connection, a couple times may be needed for some
routers, with the length of time of the DoS related to the amount of
bytes you send down the initial connection. Some Cisco's would have to
be reset manually to fix this, others will recover by themselves given a
few minutes, hours, or days. ComOS seems to be in the manual-reset
category, as I haven't found one yet that recovers from a 1 minute
attack onto thier access ports. Normal operation continues, only in a
few freak cases did the router drop the entire network / reset
connections as a result.

[snip]

Okay, I sent this to support without the snippage... and yes, there is a
DoS possible.

In a short-time frame one can hang the telnet port to PM3s and OR-HS' it
will look like:

433 3072 0 oprah.iav.com.3666 iav.com.2921 TIME WAIT
432 3072 0 oprah.iav.com.3666 iav.com.2918 TIME WAIT
405 3072 0 oprah.iav.com.3666 iav.com.2892 TIME WAIT

doing a reset nX aka n433 will report that it's been reset, BUT it won't
clear immediately. It took a few minutes, then became normal. Thus, if
someone didn't want you to get onto the PM, they'd just keep hammering at
it to clog the telnet ports.

So, to protect against this, filter out non-trusted logins on your telnet
port.

Someone want to give an example, as I'm lousy on filter setups...

-- Aloha from Paradise,

Sherwood Got Clue? If so: ISPF! The Forum for ISPs by ISPs, <http://www.ispf.com>

- To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe portmaster-users' in the body of the message. Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>

Next message: Emmett Lewis: "Re: (PM) Up and down PRI, errors, show ISDN questions"
Previous message: I don't work for Lucent RABU: "Re: (PM) Fast Busy probably not a PM problem"