Has been running for a while, time to shut ‘er down. She (is a router a she?) used to handle all of my BGP GigE links but over the years has been demoted to OSPF and T1 aggregation.
If anyone needs a boat anchor let me know.
gsr8-1#show version
Cisco Internetwork Operating System Software
IOS (tm) GS Software (GSR-P-M), Version 12.0(30)S3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Thu 30-Jun-05 18:29 by pwade
Image text-base: 0x50010E80, data-base: 0x536E8000
ROM: System Bootstrap, Version 11.2(20030108:132517) [jkuzma-112 2.2] RELEASE SOFTWARE
gsr8-1 uptime is 9 years, 9 weeks, 2 days, 8 hours, 39 minutes
Uptime for this control processor is 9 years, 2 weeks, 2 days, 18 minutes
System returned to ROM by Stateful Switchover at 13:46:36 UTC Tue Sep 6 2005
System image file is "slot0:gsr-p-mz.120-30.S3.bin"
cisco 12008/GRP (R5000) processor (revision 0x05) with 524288K bytes of memory.
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
2 Route Processor Cards
2 Clock Scheduler Cards
3 Switch Fabric Cards
2 Single Port Gigabit Ethernet/IEEE 802.3z controllers (2 GigabitEthernet).
1 Three Port Gigabit Ethernet/IEEE 802.3z controller (3 GigabitEthernet).
1 Ethernet/IEEE 802.3 interface(s)
5 GigabitEthernet/IEEE 802.3 interface(s)
507K bytes of non-volatile configuration memory.
20480K bytes of Flash PCMCIA card at slot 0 (Sector size 128K).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102
[..]
IOS (tm) GS Software (GSR-P-M), Version 12.0(30)S3, RELEASE SOFTWARE (fc2)
[..]
gsr8-1 uptime is 9 years, 9 weeks, 2 days, 8 hours, 39 minutes
Thank you for finally taking a vulnerable system of the Internet!
Greets,
Jeroen
On Sep 20, 2014, at 10:18 AM, Matthew Crocker <matthew@corp.crocker.com> wrote about his old router:
<SNIP/>
gsr8-1 uptime is 9 years, 9 weeks, 2 days, 8 hours, 39 minutes
Uptime for this control processor is 9 years, 2 weeks, 2 days, 18 minutes
System returned to ROM by Stateful Switchover at 13:46:36 UTC Tue Sep 6 2005
<SNIP/>
Matt,
Wow. You have amazing power reliability!
Want to tell us your secret?
Regards.
James R. Cutler
James.cutler@consultant.com
PGP keys at http://pgp.mit.edu
So when was the last time you patched this internet facing device?
Isn't the better response, thank you for decommissioning it?
Can someone from cisco set up a poll or release whatever numbers they
have about how many of these old devices are still in service?
Thanks,
Dan
OK thank you for decommissioning this.*
* Only if you either had authority to do so for max 1 year or had no
authority but were fighting to have it patches or replaced for years.
So when was the last time you patched this internet facing device?
Sunday sept 4 2005?
Seems like a good run. If it hasn't been rooted or fallen over since then it's apparently pretty secure...
Again, you're focusing resentment towards someone who did the right
thing. Negative reinforcement will discourage others from taking
action and will discourage them from encouraging others to take
action.
Let's focus on who still has vulnerable equipment and how to help
them. Let's not shame people who did the right thing
Thanks,
Dan
OpenSNMPProject has some of this data for devices that respond to the string ‘public’.
Lots of old stuff out there.
- Jared
And what, exactly, is it vulnerable to?
Fair question. Felix Lindner has shown some ~0 budget attacks on IOS. But I'm
not sure if there actually are known attack vectors for properly secured
system (iACL, rACL in this case)
Crash bugs are there probably, but those are likely in every release and some
motivation + lab time might yield success DoS attack on platform, and if
you're L2 connected to a router, most are DoSable anyhow, regardless of
version.
Personally, I wouldn't be too worried about this. If I were, I wouldn't dare
to run any commercially or otherwise available networking operating system,
they all have terrible history in terms of software reliability against
attacks.
But there appears to be no actual business-case for security, if we look at
fortune500 companies who have been thoroughly pwned, it has not impacted their
market cap. Public sector, including military are happy to buy 'audited'
network connection from commercial companies running commercial systems, which
all certainly are pwnable with extremely modest budget, regardless how new
release they are running.
I do not see any vulnerabilities listed there. Only documentation of behavioral bugs, caveats, and restrictions.
A "vulnerability" would be something like the one Microsoft introduced into all versions of the Windows IP stack after Windows 2003 and Windows XP wherein "the Operating System will execute the payload of an IP packet with SYSTEM authority and SYSTEM integrity when a crafted IP packet is received in which a certain combination of invalid and reserved header bits are set".
Please tell me her nodename is 'gracie'.
Cheers,
-- jra
That might make for quite an interesting talk, Jared. 
Well,
I think it was just blind fear talking.
Properly configured, it is less a security issue than newer devices.
Pretty impressive from Matthew to have the patience/skills to not
simply "reload" that fridge over the years.
Got you beat by nine weeks with a Foundry 9604.
#sh ver
SW: Version 03.3.01aTc1 Copyright (c) 1996-2004 Foundry Networks, Inc.
Compiled on Feb 01 2005 at 11:21:12 labeled as FES03301a
(2057881 bytes) from Primary foundry-FES/FES03301a.bin
Boot Monitor: Version 03.2.00Tc4
HW: Stackable FES9604
Got you beat by nine weeks with a Foundry 9604.
I might have a Cat5505 or two on our out-of-band management network with uptimes that approach this.
jms
The best thing about having GSRs around is trading them in for ASR 9900s.
The freight is a ding, though.
-Drew