Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

[Andrew (Andy) Ashley]

Is a control-plane ACL to limit isakmp traffic (UDP/500) to an affected ASA 
from desired sources enough to mitigate this attack, until upgrades can be 
performed?

Regards,

Andrew Ashley




-Original Message-
From: NANOG  on behalf of Adrian 
M 
Date: Thursday, 11 February 2016 at 15:53
To: "nanog@nanog.org" 
Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and 
IKEv2 Buffer Overflow Vulnerability

>Be careful, It appears that something is broken with ARP on this release.
>We have no ARP on lan interface, and somebody else has a similar problem:
>https://www.reddit.com/r/networking/comments/433kqx/cisco_asa_not_recording_an_arp_entry/
>
>
>
>On Wed, Feb 10, 2016 at 10:36 PM, Sadiq Saif  wrote:
>
>> Update your ASAs folks, this is a critical one.
>>
>>
>>  Forwarded Message 
>> Subject: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and
>> IKEv2 Buffer Overflow Vulnerability
>> Date: Wed, 10 Feb 2016 08:06:51 -0800
>> From: Cisco Systems Product Security Incident Response Team
>> 
>> Reply-To: ps...@cisco.com
>> To: cisco-...@puck.nether.net
>> CC: ps...@cisco.com
>>
>> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer
>> Overflow Vulnerability
>>
>> Advisory ID: cisco-sa-20160210-asa-ike
>>
>> Revision 1.0
>>
>> For Public Release 2016 February 10 16:00  GMT (UTC)
>>
>> +-
>>
>>
>> Summary
>> ===
>>
>> A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and
>> IKE version 2 (v2) code of Cisco ASA Software could allow an
>> unauthenticated, remote attacker to cause a reload of the affected
>> system or to remotely execute code.
>>
>> The vulnerability is due to a buffer overflow in the affected code area.
>> An attacker could exploit this vulnerability by sending crafted UDP
>> packets to the affected system. An exploit could allow the attacker to
>> execute arbitrary code and obtain full control of the system or to cause
>> a reload of the affected system.
>>
>> Note: Only traffic directed to the affected system can be used to
>> exploit this vulnerability. This vulnerability affects systems
>> configured in routed firewall mode only and in single or multiple
>> context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.
>>
>> Cisco has released software updates that address this vulnerability.
>> This advisory is available at the following link:
>>
>> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
>>
>>
>>
>> ___
>> cisco-nsp mailing list  cisco-...@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>

smime.p7s
Description: S/MIME cryptographic signature

Re: BGPMON Alert Questions

[Andrew (Andy) Ashley]

Hi All,

I am a network admin for Aware Corporation AS18356 (Thailand), as
mentioned in the alert.
We operate a BGPMon PeerMon node on our network, which peers with the
BGPMon service as a collector.

It is likely that AS4761 (INDOSAT) has somehow managed to hijack these
prefixes and CAT (Communications Authority of Thailand AS4651) is not
filtering them, 
hence they are announced to us and are triggering these BGPMon alerts.

I have had several mails to our NOC about this already and have responded
directly to those.
I suggest contacting Indosat directly to get this resolved.
AS18356 is a stub AS, so we are not actually advertising these learned
hijacked prefixes to anyone but BGPMon for data collection purposes.

Thanks.

Regards,

Andrew Ashley

Office: +27 21 673 6841
E-mail: andre...@aware.co.th
Web: www.aware.co.th



On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote:

I just got the same alert for one of my prefixes one minute ago.

On 4/2/2014 2:59 PM, Frank Bulk wrote:
 I received a similar notification about one of our prefixes also a few
 minutes ago.  I couldn't find a looking glass for AS4761 or AS4651.
But I
 also couldn't hit the websites for either AS, either.

 Frank

 -Original Message-
 From: Joseph Jenkins [mailto:j...@breathe-underwater.com]
 Sent: Wednesday, April 02, 2014 1:52 PM
 To: nanog@nanog.org
 Subject: BGPMON Alert Questions

 So I setup BGPMON for my prefixes and got an alert about someone in
 Thailand announcing my prefix.  Everything looks fine to me and I've
 checked a bunch of different Looking Glasses and everything announcing
 correctly.

 I am assuming I should be contacting the provider about their
 misconfiguration and announcing my prefixes and get them to fix it.  Any
 other recommendations?

 Is there a way I can verify what they are announcing just to make sure
they
 are still doing it?

 Here is the alert for reference:

 Your prefix:  8.37.93.0/24:

 Update time:  2014-04-02 18:26 (UTC)

 Detected by #peers:   2

 Detected prefix:  8.37.93.0/24

 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network
 Provider,ID)

 Upstream AS:  AS4651 (THAI-GATEWAY The Communications Authority
of
 Thailand(CAT),TH)

 ASpath:   18356 9931 4651 4761




-- 
Vlad




smime.p7s
Description: S/MIME cryptographic signature

Re: BGPMON Alert Questions

[Andrew (Andy) Ashley]

I got a bounce from Indosat saying:

Dear Senders,

Thank you for your email, started March,1st  2012 email address for
correspondence with Indosat IP Support  All Support INP will be change and
not active with detail information as follows :
1. Correspondence and complain handling for Indosat Corporate customers
(INP, IDIA and INIX services) please kindly address to :
corporatesolut...@indosat.com (Service Desk MIDI Indosat Corporate Solution)
2. Correspondence and coordination for upstream and peering purpose please
kindly address to :  snocips...@indosat.com (SNOC IP Surveillance)
Thank you for your kind cooperation and understanding.
Indosat IP Support



Perhaps the ³SNOC IP Surveillance² address is better?





For CAT Thailand, the contact details I have are:



NOC call center
CAT Telecom
Tel: 66 2 104 2382
FAX: 66 2 104 2281
e-mail: cuss...@cattelecom.com

As someone mentioned, English may be an issue, especially at this time of
the morning over there.




Regards,



Andrew Ashley



Office: +27 21 673 6841

E-mail: andre...@aware.co.th

Web: www.aware.co.th




From:  Aris Lambrianidis effulge...@gmail.com
Date:  Wednesday 02 April 2014 at 22:40
To:  Andrew Ashley andre...@aware.co.th
Cc:  nanog@nanog.org nanog@nanog.org
Subject:  Re: BGPMON Alert Questions

Contacted ip@indosat.com about this, I urge others to do the same.

--Aris


On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.th
wrote:
 Hi All,
 
 I am a network admin for Aware Corporation AS18356 (Thailand), as
 mentioned in the alert.
 We operate a BGPMon PeerMon node on our network, which peers with the
 BGPMon service as a collector.
 
 It is likely that AS4761 (INDOSAT) has somehow managed to hijack these
 prefixes and CAT (Communications Authority of Thailand AS4651) is not
 filtering them,
 hence they are announced to us and are triggering these BGPMon alerts.
 
 I have had several mails to our NOC about this already and have responded
 directly to those.
 I suggest contacting Indosat directly to get this resolved.
 AS18356 is a stub AS, so we are not actually advertising these learned
 hijacked prefixes to anyone but BGPMon for data collection purposes.
 
 Thanks.
 
 Regards,
 
 Andrew Ashley
 
 Office: +27 21 673 6841 tel:%2B27%2021%20673%206841
 E-mail: andre...@aware.co.th
 Web: www.aware.co.th http://www.aware.co.th
 
 
 
 On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote:
 
 I just got the same alert for one of my prefixes one minute ago.
 
 On 4/2/2014 2:59 PM, Frank Bulk wrote:
  I received a similar notification about one of our prefixes also a few
  minutes ago.  I couldn't find a looking glass for AS4761 or AS4651.
 But I
  also couldn't hit the websites for either AS, either.
 
  Frank
 
  -Original Message-
  From: Joseph Jenkins [mailto:j...@breathe-underwater.com]
  Sent: Wednesday, April 02, 2014 1:52 PM
  To: nanog@nanog.org
  Subject: BGPMON Alert Questions
 
  So I setup BGPMON for my prefixes and got an alert about someone in
  Thailand announcing my prefix.  Everything looks fine to me and I've
  checked a bunch of different Looking Glasses and everything announcing
  correctly.
 
  I am assuming I should be contacting the provider about their
  misconfiguration and announcing my prefixes and get them to fix it.  Any
  other recommendations?
 
  Is there a way I can verify what they are announcing just to make sure
 they
  are still doing it?
 
  Here is the alert for reference:
 
  Your prefix:  8.37.93.0/24 http://8.37.93.0/24 :
 
  Update time:  2014-04-02 18:26 (UTC)
 
  Detected by #peers:   2
 
  Detected prefix:  8.37.93.0/24 http://8.37.93.0/24
 
  Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network
  Provider,ID)
 
  Upstream AS:  AS4651 (THAI-GATEWAY The Communications Authority
 of
  Thailand(CAT),TH)
 
  ASpath:   18356 9931 4651 4761
 
 
 
 
 --
 Vlad
 
 





smime.p7s
Description: S/MIME cryptographic signature

Cross connect from Telx to Level 3 @ 111 8th Ave

[Andy Ashley]

Hi,

Does anyone know if it is possible to get a cross connect from Telx 
(room 524) to Level 3 (room 304) at 111 8th Ave?
Neither Telx or L3 can do this without serious complication and 
prohibitive cost.


(contact me off list please)

Thanks.

Regards,
Andy Ashley.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: DSL options in NYC for OOB access

[Andy Ashley]

On 29/01/2011 00:16, Bill Stewart wrote:


How much bandwidth do you need?  Is a dialup modem fast enough?

Hi,

Not much at all. Just enough for a telnet/ssh session.
A dialup modem would likely do the trick, but that raises other issues about 
dialing up from the UK based NOC,
so I think DSL will be a little more flexible for us in this case.
If we must have a telephone line installed we may as well get DSL service over 
that.
Point taken though about reliability of DSL service vs plain PSTN.

I have had some offers from the right sort of companies.
One in particular has everything we need (low speed, static ip, no red tape  a 
clue) at half the price of the others (ask me off list if you want the name).
Also suggested to me was doing a swap with another provider in the facility but 
it seems as if cross connects may be prohibitively expensive between 
suites/floors there.
Im going to wait for pricing on this and make a choice then.

Thanks to all who responded.

Regards,
Andy.





--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: DSL options in NYC for OOB access

[Andy Ashley]

On 29/01/2011 14:56, Randy McAnally wrote:


Have you looked into the cross connect cost for your DSL line?  They typically
aren't very cheap either.

~Randy

Im still waiting for the quote to come back from L3.
Figured a copper pair would be cheaper than a fiber, but who knows?

Andy.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

DSL options in NYC for OOB access

[Andy Ashley]

Hi,

Im looking for a little advice about DSL circuits in New York, 
specifically at 111 8th Ave.

Going to locate a console server there for out-of-band serial management.
The router will need connectivity for remote telnet/ssh access from the NOC.

Looking for a low speed (and low cost) DSL line with a fixed IP.
I searched some obvious providers but dont really want to deal with a 
huge company (Verizon, Qwest, ?) if it can be avoided.
Also $80-100+ seems a lot for something that will be used very rarely, 
but maybe those prices are normal.


Are there smaller/independent companies out there offering this sort of 
thing?

I dont know much about the US DSL market, so any hints are welcome.

Thanks.
Andy.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Other NOGs around the world?

[Andy Ashley]

 On Aug 22, 2010, at 9:52

What other network operator groups are there around the world (besides NANOG)?


IOZ (South Africa) - http://lists.internet.org.za/mailman/listinfo

Regards,
Andy.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: SAS70 Type II compliant colo providers - Chicago, IL

[Andy Ashley]

Andy Ashley wrote:

Hi,

I would really appreciate any recommendations for SAS70 Type II 
compliant colocation providers in Chicago, IL


The requirement is fairly small (1/2 - 1 rack). Mail me off list please.

Thanks.

Thanks to everyone who replied with advice and 
recommendations/referrals, there were too many to respond to individually.
I have made a couple of choices and will make further enquiries with 
those companies.


Regards,
Andy.



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

SAS70 Type II compliant colo providers - Chicago, IL

[Andy Ashley]

Hi,

I would really appreciate any recommendations for SAS70 Type II 
compliant colocation providers in Chicago, IL


The requirement is fairly small (1/2 - 1 rack). Mail me off list please.

Thanks.

Regards,
Andy.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.