Do you allow connections directly *to* the external interface? Can
you get away with disallowing them?
If you had a sniffed record of the traffic just before the crash,
it might be possible to tell. If it keeps happening, I'd put a
sniffer on and look for traffic destined for that router.
If it doesn't keep happening, you don't need to do anything about
it. Hopefully, if it *is* a buffer overflow, either Cisco will
discover it, or someone will report it to them, and so some newer
release of IOS may address the problem.
There's not much you alone can do, either to determine afterwards
what "really" happened, or to guard against it happening again. (If
you happen to capture logs that show it as a result of specific
malicious traffic, you'll have both something you can report to
Cisco, and something you can pursue with an originating ISP.
David Gillett
On 12 Jun 2001, at 14:41, Gerardo Soto wrote:
>
> Hello David:
>
> How can I make sure that it was not a buffer overflow ? or even
> better how can I avoid such actions ?
>
> Any help will be deeply appreciated.
>
> Best Regards,
>
> >
> > If you've *ever* worked at the assembler/machine-language level on
> > any mainstream CPU architecture, you will have been introduced to a
> > register (or register-pair) called the "program counter", which
> > contains the address of the next instruction to be executed.
> > Most instructions include, as a side-effect, incrementing this
> > register by an appropriate amount. JUMP instructions overwrite the
> > register contents with a new address. CALL instructions save the old
> > address to the stack first, and RETURN instructions pop a value from
> > the stack which is *supposed* to have been saved there by a CALL.
> >
> > 1. Exploitable buffer overflows typically involve a buffer allocated
> > on the stack, so that the overflow corrupts the return address.
> >
> > 2. "Bus error" is how several of the CPUs Cisco has used signal that
> > they have tried to access memory using an address that is invalid
> > because it is not properly aligned.
> >
> > Dave's suggestion is that the bad address could have been the
> > program counter value. My elaboration is that a bad program counter
> > value could be the result of stack corruption caused by a buffer
> > overflow.
> >
> > David Gillett
> >
> >
> >
> > On 12 Jun 2001, at 10:14, Brian Ford wrote:
> >
> > > So David how do you create a buffer overflow condition on this router? Hmm?
> > >
> > > And Dave which counter got a bad value?
> > >
> > > This message is more likely to mean that a power spike or static discharge
> > > occurred on the serial interface that caused the router to reset.
> > >
> > > Gerado did the router reboot successfully? Is it operating now? How long
> > > has this router been in place and on this circuit? Do you have syslog data
> > > showing any hardware or software problems before the reboot?
> > >
> > > The reality is your router hiccuped. If it starts happening regularly you
> > > should look at putting it on a UPS, talk to your carrier about checking or
> > > adding ESD/spike protection to the circuit , or call the Cisco TAC (if you
> > > are on maintenance) about swapping the router.
> > >
> > > Fear, Uncertainty, and Doom at it's finest.
> > >
> > > Regards,
> > >
> > > Brian
> > >
> > > At 08:59 AM 6/12/2001 +0000, Firewalls-Digest wrote:
> > > >Date: Tue, 12 Jun 2001 01:03:19 -0700
> > > >From: [EMAIL PROTECTED]
> > > >Subject: Re: cisco reboot
> > > >
> > > > > Technically, it means the program counter got an illegal address
> > > > > in it.
> > > >
> > > > One of the ways this could happen is via a buffer overflow, which
> > > >may potentially be exploitable (although exploiting it will be much
> > > >harder than making it bus error).
> > > >
> > > >David Gillett
> > > >
> > > >
> > > >On 12 Jun 2001, at 12:59, Dave Horsfall wrote:
> > > >
> > > > > On Mon, 11 Jun 2001, Gerardo Soto wrote:
> > > > >
> > > > > > "System restarted by bus error at PC 0x30C5BD4, address 0xE24230"
> > > > >
> > > > > Almost certainly a hardware/software fault; report it to your vendor.
> > > > >
> > > > > > What does bus error mean ? I would deeply appreciate any light regarding
> > > > > > this matter.
> > > > >
> > > > > Technically, it means the program counter got an illegal address in it.
> > > > >
> > > > > --
> > > > > Dave Horsfall CL VK2KFU [EMAIL PROTECTED] Ph: +61 2 9906 3377 Fx: *
> > > > 9906 3468
> > > > > (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065,
> > > > Australia
> > > > >
> > > > > -
> > >
> > >
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> *******************************************************************************
> Ing. Gerardo Soto Casados
> Compu-Redes
> Labastida # 37 Esq. Tijuana
> San Martin Texmelucan Puebla
> Tel. y Fax (012)4845888
> e-mail: [EMAIL PROTECTED]
> http://www.compu-redes.net.mx
> *******************************************************************************
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
