RE: "Cisco gate" - Payload Versus Vector

very helpful analysis. some questions:

even without stiffling the heap check via crashing_already (i.e. a
'fix' is developed for that weakness), is the 30-60 second window
sufficient to do serious operational damage. i.e. what could an
attacker do with a code injection with a mean life as short as
15-30 seconds? that seems a bit short for a direct routing
injection of much worth. but how about a damping attack (flap the
victim's route enough to cause everyone to damp them), or would
mrai stiffle that? could it be used to cascade to a neighbor? i
suppose that diverting the just the right 15-30 seconds of traffic
could be profitable.

secondly, is there reason not to believe that the attack vectors
might be at layer two, mpls, as well as layer three, ip? i.e. the
"internet-free core" gambit does not reduce exposure to this one?

The "bad guys" are discussing the issues and we should think long
and hard before we muzzle the "good guys".

http://rip.psg.com/~randy/draft-ymbk-obscurity-00.txt is a bit old,
but seems relevant.

randy

change the passwords and write to nvram, and come back later?

-Dan

some more that come to mind as ssh/enable pw changes wouldn't go
unnoticed for too long.

change snmptrap dest
change snmp r/w comstrs (most monitoring would only use r/o comstrs)
change ACLs on snmp access to allow public IPs
change the ip address of the host that is used for tftp boots

lots of things can be done in a 1/10 of the 30-60 second window.

-Jim P.

Randy Bush wrote:

very helpful analysis. some questions:

mrai stiffle that? could it be used to cascade to a neighbor? i
suppose that diverting the just the right 15-30 seconds of traffic
could be profitable.

More recent hardware allows you to take copies of packets and push them down an IP tunnel. Pushing something like this into the configuration would make much more sense.

Pete