Did you read the reply from the cisco rep to bugtraq?
It's a design of TCP/IP implementation, that is causing this 'annoyance.'
It is NOT a failure of ComOS. Why else would the attack posted to bugtraq
be listed as "Widespread Router Access Port DoS". If anything you could
actually twist this into a way to prevent unauthorized entry... clog the
ports and when you need to use it go in with another method and reset a
handle then get in through telnet 8) okay that's pretty lame...
> The point is that there is a problem in the ComOS telnet/login code, and
> the fact that you can throw filters up to minimize the risk does not mean
> the problem should not be fixed. If you do the same thing against a
> FreeBSD system, and presumably many/most other Unix systems, it does not
> lockup the network connection. Why should we expect ComOS to be any
> different? There are reasons to explain the different behaviour, but
> they do not justify that behaviour, once the problem is pointed out.
Well, for one thing you have a limited number of telnet tty on PMs, most
*nix systems have a MUCH higher limit, so I guess in theory if you have a
script that keeps banging away you could do a similar attack, just not as
easily. Cisco reply is they also have a 'session-timeout' and
'exec-timeout' features that should reset the port as necessary. Mayhaps,
sending a RFE to support@livingston.com would be in order?
[snip]
> Is the exposure of this one large enough to justify a code change? I
> think so, although I don't think there's a need to rush out a fix
> immediately. If it were my decision, I would try to fix it in the next
> regular release, and issue a security advisory listing the ways to avoid
> the problem and recover from it if it happens. But I don't work for
> Lucent, so we'll just have to see how they choose to deal with this.
I'll wholeheartedly agree with this paragraph! To get such implemented,
send in your RFE to support@livingston.com. List what you would like
added/fixed and WHY it would be valuable.
-- Aloha from Paradise,Sherwood Got Clue? If so: ISPF! The Forum for ISPs by ISPs, <http://www.ispf.com>
- To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe portmaster-users' in the body of the message. Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>