OPS: SECURITY new packet of death
blast
blast at broder.com
Fri Nov 21 18:50:42 UTC 1997
On Fri, 21 Nov 1997, Karl Denninger wrote:
> On Fri, Nov 21, 1997 at 09:41:33AM -0600, Charley Kline wrote:
> > > land.c is this program
> > I tried it against a 7505 running 11.2(9)P and a 2511 running 11.2(7a),
> > with no obvious bad effects. The announcement does not indicate which
> > IOS versions are vulnerable; I'd love to know.
> >
> > Charley Kline kline at uiuc.edu
> > UIUC Network Architect n stuff
> Where do we get a copy of that to try out?
>
> I want to "challenge" some of our machines and routers.
Here is the results of my humble IOS testing of the land.c
denial of service 'spoit code.
-blast
IOS 11.2(9) on a 25xx
tcp0: I LISTEN 10.10.51.80:23 10.10.51.80:23 seq 3868
SYN WIN 2048
tcp0: O LISTEN 10.10.51.80:23 10.10.51.80:23 seq 3988480078
OPTS 4 ACK 3869 SYN WIN 4288
tcp0: I SYNRCVD 10.10.51.80:23 10.10.51.80:23 seq 3988480078
OPTS 4 ACK 3869 SYN WIN 4288
tcp0: O SYNRCVD 10.10.51.80:23 10.10.51.80:23 seq 3869
RST WIN 4288
tcp0: I SYNRCVD 10.10.51.80:23 10.10.51.80:23 seq 3869
RST WIN 4288
----------------------
IOS 11.1(12) on a 25xx
IOS 11.0(17) on 1005
The interesting thing about this test was that it would
freeze for a little while (until socket timed-out) then
I was able to telnet to the vty again. The router had to
RST me close before it did another TCP handshake for
the vty. It seem to have no problems forwarding L3 traffic
but my testing was not very complete. I was only looking
for KABOOM's.
tcp0: I LISTEN 10.10.51.16:23 10.10.51.16:23 seq 3868
SYN WIN 2048
tcp0: O LISTEN 10.10.51.16:23 10.10.51.16:23 seq 3655988093
OPTS 4 ACK 3869 SYN WIN 2144
tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093
OPTS 4 ACK 3869 SYN WIN 2144
tcp0: O SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869
RST WIN 2144
tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869
RST WIN 2144
tcp0: W SYNRCVD 10.10.51.16:23 10.10.51.16:23 estabBLOCK
tcp0: R SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093
OPTS 4 ACK 3869 SYN WIN 2144
tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093
OPTS 4 ACK 3869 SYN WIN 2144
tcp0: O SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869
RST WIN 2144
tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869
RST WIN 2144
tcp0: R SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093
OPTS 4 ACK 3869 SYN WIN 2144
tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093
OPTS 4 ACK 3869 SYN WIN 2144
tcp0: O SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869
RST WIN 2144
tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869
RST WIN 2144
tcp0: R SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093
OPTS 4 ACK 3869 SYN WIN 2144
tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3655988093
OPTS 4 ACK 3869 SYN WIN 2144
tcp0: O SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869
RST WIN 2144
tcp0: I SYNRCVD 10.10.51.16:23 10.10.51.16:23 seq 3869
RST WIN 2144
tcp0: T CLOSED 10.10.51.16:23 10.10.51.16:23 early close
----------------------------------------------------------
IOS 10.3(10) on a 25xx goes KABOOM
IOS 10.2(latest) on 4000 goes KABOOM
It appears that 11.2 is your best bet and if you are pre-11
you got big problems.
-blast
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\ Tim Keanini | "The limits of my language, /
/ | are the limits of my world." \
\ blast at broder.com | --Ludwig Wittgenstein /
\ +================================================/
|Key fingerprint = 7B 68 88 41 A8 74 AB EC F0 37 98 4C 37 F7 40 D6 |
/ PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
More information about the NANOG
mailing list