Priscilla,
It didn't take the "access-group 100 in" command on your router? Did you
have "no service stupid mistake" on your router? Just kidding. I was doing
it out of memory in a text editor. I've come to like making the config for a
router in a text editor and just pasting it in.
Come to think of it is there any other protocol besides IP 8)
Brian
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Priscilla Oppenheimer
> Sent: Tuesday, May 08, 2001 2:12 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
>
>
> I tried the HSRP access list from Brian (CCIE) and it works, (of
> course. ;-)
>
> It was surprisingly easy to hack HSRP! :-[] I captured some HSRP packets
> with EtherPeek and edited one to say the packet was from my PC
> and that my
> priority was higher than the two legitimate HSRP routers. I then
> repeatedly
> sent this packet, using the timer that the legitimate HSRP routers were
> using.
>
> The standby HSRP stopped sending HSRP packets (not sure why?) The
> previously active made itself standby. PCs on the LAN that were
> set to use
> the HSRP gateway address were unable to reach non-local stations. The DOS
> worked, in other words. This is a lab network, by the way.
>
> I used the access list below to make sure the HSRP routers only accepted
> from each other and it solved the problem. I meant to save the
> HyperTerminal session and show you that the deny in the access list was
> getting invoked, but I forgot to save it.
>
> Note one minor bug in configs below:
>
> It should say "ip access-group 100 in" (at least on my routers,
> the ip was
> required)
>
> Priscilla
>
>
>
>
> At 03:54 AM 5/8/01, Brian Dennis wrote:
> >It's not the best solution but if you're really worried you
> could create an
> >access-list (see configs below). HSRP uses UDP port 1985 and the
> destination
> >address is to all routers (224.0.0.2). Perfect solution? No. Better than
> >nothing? Yes.
> >
> >Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
> >5G Networks, Inc.
> >[EMAIL PROTECTED]
> >(925) 260-2724
> >
> >!
> >hostname R1
> >interface Ethernet 0
> > ip address 192.168.1.1 255.255.255.0
> > standby ip 192.168.1.254
> > standby authentication c!sc0b2b
> > access-group 100 in
> >!
> >access-list 100 permit udp host 192.168.1.2 eq 1985 host
> 224.0.0.2 eq 1985
> >access-list 100 deny udp any eq 1985 any eq 1985
> >access-list 100 permit ip any any
> >
> >
> >!
> >hostname R2
> >!
> >interface Ethernet 0
> > ip address 192.168.1.2 255.255.255.0
> > standby ip 192.168.1.254
> > standby authentication c!sc0b2b
> > access-group 100 in
> >!
> >access-list 100 permit udp host 192.168.1.1 eq 1985 host
> 224.0.0.2 eq 1985
> >access-list 100 deny udp any eq 1985 any eq 1985
> >access-list 100 permit ip any any
> >
> >
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > Jacques Atlas
> > > Sent: Monday, May 07, 2001 11:10 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
> > >
> > >
> > > On Tue, 8 May 2001, Curtis Call wrote:
> > >
> > > |In other words always use authentication.
> > >
> > > i dont think the authentication in clear text is going to help,
> > > the solution from the vendor is to run HSRP with IPSec.
> > >
> > > --
> > > jacques
> > > FAQ, list archives, and subscription info:
> > > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
> ________________________
>
> Priscilla Oppenheimer
> http://www.priscilla.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3695&t=3534
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
