Crafted TCP Packet can cause denial of service (cisco-sa-20070124-crafted-tcp)
Crafted IP Option vulnerability (cisco-sa-20070124-crafted-ip-option)
IPv6 Routing Header vulnerability (cisco-sa-20070124-IOS-IPv6)
After going through the security advisory, continue reading through these documents:
Detecting and mitigating cisco-sa-20070124-crafted-tcp
Detecting and mitigating cisco-sa-20070124-crafted-ip-option
Detecting and mitigating cisco-sa-20070124-IOS-IPv6
It will give you wealth of information on the features and capabilities that Cisco IOS have in dealing with these issues. Previously, I didn't know about IP Options Selective Drop , Control Plane Policing and ACL Support for Filtering IP Options. Makes me feel like a n00b.
Some notes I learned:
- On Cisco PIX Security Appliances, Cisco ASA Adaptive Security Appliances, and Firewall Service Modules (FWSM) for Cisco Catalyst 6500 Switches and Cisco 7600 Routers, packets with IP Options are dropped by default.
- Configure Policing then apply the service-policy to the Control Plane to protect the router itself from attacks directed to it. The control plane and the management plane handle such packets as routing updates, keepalives, and network management.
- IP Protocol 103 = PIMv2
- IP Protocol 113 = PGM Reliable Transport Protocol
- Resource Reservation Protocol (RSVP) (Multiprotocol Label Switching traffic engineering [MPLS TE]), Internet Group Management Protocol Version 2 (IGMPv2), and other protocols that use IP options packets may not function when IP Options are filtered.
- Configuring Access Lists to Filter Packets That Contain IP Options
- Protecting Your Core: Infrastructure Protection Access Control Lists
I remember a similar bug last 2003 (Cisco IOS Interface Blocked by IPv4 Packets) that caused much furor and panic to upgrade routers. I wonder how Cisco customers will react to this one.
Time to bring out the console cable and fire up TFTP!
No comments:
Post a Comment