Configure two routers to run HSRP and deliberately misconfigure the
authentication password. You might be surprised at the results.
>From CCO:
The authentication string is transmitted unencrypted in all HSRP messages.
The same authentication string must be configured on all routers and access
servers on a cable to ensure interoperation. Authentication mismatch
prevents a device from learning the designated Hot Standby IP address and
the Hot Standby timer values from other routers configured with HSRP.
Authentication mismatch does not prevent protocol events such as one router
taking over as the designated router.
That last sentence says it all.
Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
5G Networks, Inc.
[EMAIL PROTECTED]
(925) 260-2724
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Curtis Call
> Sent: Monday, May 07, 2001 10:05 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
>
>
> In other words always use authentication.
>
> At 10:23 PM 5/7/01, you wrote:
> > >>I guess I'm dense. The DOS does what? Makes it possible to advertise a
> >false
> > >>destination as the active HSRP address ?
> >
> >I guess by mulitcasting a higher priority HSPR packets, the receiving
> >routers will assume secondary role thus no routers will be active.
> >
> >-----Original Message-----
> >From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
> >Sent: Tuesday, May 08, 2001 11:29 AM
> >To: Andy Low; [EMAIL PROTECTED]
> >Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
> >
> >
> >Interesting....
> >
> >"A problem in the Cisco Hot Standby Routing Protocol (HSRP) makes it
> >possible to deny service to users of network resources. By
> eavesdropping on
> >HSRP management messages sent over the network, it is possible
> to create a
> >spoofed message that will reroute all network traffic to a particular
> >system. By doing so, it is possible to prevent traffic from entering or
> >leaving that network."
> >
> >I guess I'm dense. The DOS does what? Makes it possible to
> advertise a false
> >destination as the active HSRP address ?
> >
> >"This problem makes it possible for system local to the network to deny
> >service to legitimate users of that network segment."
> >
> >In other words, your enemy is someone on the inside. Which is
> where 80% of
> >any network's vulnerabilities occur!
> >
> >Chuck
> >
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Andy
> >Low
> >Sent: Monday, May 07, 2001 8:20 PM
> >To: [EMAIL PROTECTED]
> >Subject: Cisco HSRP Denial of Service Vulnerability [7:3534]
> >
> >Hi TAC,
> >
> >Anyone know of any solutions to the HSRP exploits?
> >
> >http://www.securityfocus.com/bid/2684
> >
> >-andy-
> >FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3565&t=3534
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
