TCP-ACK vulnerability (was RE: SSH on the router)
Stephen J. Wilcox
steve at telecomplete.co.uk
Wed Jun 9 20:19:11 UTC 2004
On Wed, 9 Jun 2004, Sean Donelan wrote:
> On Mon, 7 Jun 2004, McBurnett, Jim wrote:
> > Aside from that, Use ACL's out the wazoo on the VTY lines and limit access to
> > that to say 1 SSH enabled router or 1 IPSEC enabled router...
>
> It doesn't really matter if you use SSH, Telnet or HTTP; if you can send
> evil packets to the router/switch and it falls over and dies.
>
> http://www.cisco.com/warp/public/707/cisco-sa-20040609-catos.shtml
>
> IP Permit Lists will not provide any mitigation against this vulnerability.
>
> The race is on, who will find your switches first?
yes, i often wondered why the permit list allows the session to connect then
gives you a polite message before disconnecting.
anyway this is only on catos..
Steve
More information about the NANOG
mailing list