Possible Sudden Uptick in ASA DOS?

Jared Mauch jared at puck.Nether.net
Fri Jul 10 12:17:01 UTC 2015


On Fri, Jul 10, 2015 at 12:05:50PM +1000, Mark Andrews wrote:
> 
> In message <[email protected]>, "Chuck Church" writes:
> > -----Original Message-----
> > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Jared Mauch
> > Sent: Thursday, July 09, 2015 9:08 AM
> > To: Colin Johnston
> > Cc: nanog at nanog.org
> > Subject: Re: Possible Sudden Uptick in ASA DOS?
> >
> > >My guess is a researcher.
> >
> >
> > I wouldn't classify someone sending known malicious traffic towards
> > someone else's network device attempting to crash it as a 'researcher'.
> > Criminal is a better term.
> >
> > Chuck
> 
> At what point does a well formed but bug triggering packet go from
> "malicious" to "expected"?

	Don't know.  Lets say it was something else.  i've seen well
formatted things that crash BIND.  When posting to bind-users
list it caused people to wonder why I didn't contact the security
team first.

	The ASA is mostly a black box, it could be any number of things
from a kernel bug to IPSEC, SSH, etc.. that trigger the issue.

	I would say malformed packets are common.  I saw trafic
coming from a specific employee home link ending up corrupted
when reaching our SIP server.  The result was it would crash as the
malformed SIP was improperly parsed.  The root cause?  The wireless
link connecting the employee to a local water tower was taking errors
and the UDP checksums still matched with the corruption.

http://downloads.asterisk.org/pub/security/AST-2011-009.html

	Either way see above where i said it's a guess, I have
no direct personal knowledge.  I'm guessing someone running
a honeypot or darknet would have packets from the researcher types.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.



More information about the NANOG mailing list