Hi, On Wed, Sep 09, 2009 at 06:52:04PM +0100, Antonio Soares wrote: > What actions are you taking ? What is the real risk ? > > http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml
"scream, wave your arms, run around in circles"... Seriously: I'm not exactly sure what the actual impact is. What we're going to do is: - identify what parts of IOS use TCP (telnet, ssh, rsh, bgp, ldp, http/s, ftp, others?) (for some weird reason, "show ip sockets" only shows UDP sockets on our boxes, and "show tcp brief" only shows ESTABLISHED TCP sessions - how can I see what TCP LISTEN sockets are there??) - find out what the impact is on each ("fill all available slots, lock out legitimate admins" or "fill all available memory, killing the box") - find out how to mitigate - telnet/ssh -> vty ACLs - rsh -> recent IOSes send RST to unknown peers - bgp -> takes care of itself (doesn't talk to unknown peers) - http/https -> turn off - ldp -> ?? - ftp -> ?? - generic -> receive ACLs ("if the platform happens to support it"), infrastructure ACLs ("not always effective in catching all possible IP addresses that a box with many customer /30 or /29s might have") gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgp5bnbo11b5f.pgp
Description: PGP signature
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/