Thursday, April 13, 2006
Cisco Security Advisory: TCP Loopback DoS Attack (land.c) and Cisco Devices
Cisco Security Advisory: TCP Loopback DoS Attack (land.c) and Cisco Devices
I came across this information about how to prevent a Cisco 700 router from being stuck in an endless feedback loop, caused by an attack...
Cisco IOS/700 Software Details
All Cisco IOS/700 software versions which have been evaluated are vulnerable to this attack. A Cisco IOS/700 system subjected to this attack will hang and must be physically reset.
Planned Fixes for Cisco IOS/700 Software
Cisco plans to release a software fix for IOS/700. The fix code has been written, and is being tested for integration and release. Because there is a low-impact configuration workaround that provides complete protection against the attack, Cisco does not plan to expedite release of this software fix. The fix will appear in regularly scheduled IOS/700 maintenance releases.
Workaround for Cisco IOS/700 Software
Add the following configuration command to any profile that may be active when connected to a potentially hostile network:
set ip filter tcp in source <7xx> destination <7xx> block
This will completely protect the 7xx system. We believe that 7xx configurations in which this command has unacceptable performance or other impact are extremely rare if they exist at all.
Looks like I may have to make these changes to the router I manage... Especially if I want to avoid allowing my client to become a victim of a potential DoS (Denial of Service) Attack.
I came across this information about how to prevent a Cisco 700 router from being stuck in an endless feedback loop, caused by an attack...
Cisco IOS/700 Software Details
All Cisco IOS/700 software versions which have been evaluated are vulnerable to this attack. A Cisco IOS/700 system subjected to this attack will hang and must be physically reset.
Planned Fixes for Cisco IOS/700 Software
Cisco plans to release a software fix for IOS/700. The fix code has been written, and is being tested for integration and release. Because there is a low-impact configuration workaround that provides complete protection against the attack, Cisco does not plan to expedite release of this software fix. The fix will appear in regularly scheduled IOS/700 maintenance releases.
Workaround for Cisco IOS/700 Software
Add the following configuration command to any profile that may be active when connected to a potentially hostile network:
set ip filter tcp in source <7xx> destination <7xx> block
This will completely protect the 7xx system. We believe that 7xx configurations in which this command has unacceptable performance or other impact are extremely rare if they exist at all.
Looks like I may have to make these changes to the router I manage... Especially if I want to avoid allowing my client to become a victim of a potential DoS (Denial of Service) Attack.
# posted by magitam @ 4:00 PM 
