Working vulnerability? (Cisco exploit)

• Previous message (by thread): Working vulnerability? (Cisco exploit)
• Next message (by thread): Working vulnerability? (Cisco exploit)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

B.Buxton at Planettechnologies.nl ("Ben Buxton") writes:

> For starters the original explit wont work very well out of the box for
> most script kiddies (random source addresses -> killed by anti-spoofing)

Please put a ":-)" in when you're being humourous.  That one was subtle
enough that I just about laughed coffee out my nose.

For the record, script kiddies (and others) encounter no significant
blockage when using random source addresses.  I'd estimate than less
than a tenth of a percent (that's 0.1%) of edge paths use RPF, even
though BCP38 states the case clearly and the technology makes it easy
and there are plenty of recipes and examples available.

For a truly stunning example, consider that one of the low-end members
of the f-root cluster has gone 60 days since its counters were last
cleared, yet...

#sfo2b.f:i386# ipfw show
...
00400   39787994   2630377143 deny ip from 10.0.0.0/8 to any in
00500   38090617   2460350048 deny ip from 172.16.0.0/12 to any in
00600   24926636   1658950280 deny ip from 192.168.0.0/16 to any in
...

...it has received almost 7GBytes of rfc1918-sourced traffic in that time.
I don't mean by that example to support my 0.1% assertion, but rather to
show that far from filtering not-theirs on ingress, the vast majority of
providers can't even filter not-anybodys on egress -- an easier problem!

Don't underestimate script kiddies.  If you leave a door wide open, they
WILL walk through.
-- 
Paul Vixie

• Previous message (by thread): Working vulnerability? (Cisco exploit)
• Next message (by thread): Working vulnerability? (Cisco exploit)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]