Hi TAC,
Anyone know of any solutions to the HSRP exploits?
http://www.securityfocus.com/bid/2684
-andy-
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3534&t=3534
--
FAQ, list archives, and subscription info: http://www.gro
ndy
Low
Sent: Monday, May 07, 2001 8:20 PM
To: [EMAIL PROTECTED]
Subject: Cisco HSRP Denial of Service Vulnerability [7:3534]
Hi TAC,
Anyone know of any solutions to the HSRP exploits?
http://www.securityfocus.com/bid/2684
-andy-
FAQ, list archives, and subscription info:
http://www.
AM
To: Andy Low; [EMAIL PROTECTED]
Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
Interesting
"A problem in the Cisco Hot Standby Routing Protocol (HSRP) makes it
possible to deny service to users of network resources. By eavesdropping on
HSRP management messages sen
Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 11:29 AM
To: Andy Low; [EMAIL PROTECTED]
Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
Interesting
"A problem in the Cisco Hot Standby Routing Protocol (HSRP) makes it
possible to de
e receiving
>routers will assume secondary role thus no routers will be active.
>
>-Original Message-
>From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, May 08, 2001 11:29 AM
>To: Andy Low; [EMAIL PROTECTED]
>Subject: RE: Cisco HSRP Denial of Service Vulnera
On Tue, 8 May 2001, Curtis Call wrote:
|In other words always use authentication.
i dont think the authentication in clear text is going to help,
the solution from the vendor is to run HSRP with IPSec.
--
jacques
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3557&t=3534
ent: Monday, May 07, 2001 10:05 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
>
>
> In other words always use authentication.
>
> At 10:23 PM 5/7/01, you wrote:
> > >>I guess I'm dense. The DOS does what? Makes it
.0.0.2 eq 1985
access-list 100 deny udp any eq 1985 any eq 1985
access-list 100 permit ip any any
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Jacques Atlas
> Sent: Monday, May 07, 2001 11:10 PM
> To: [EMAIL PROTECTED]
> Subject:
ECTED]]On Behalf Of
Jacques Atlas
Sent: Tuesday, May 08, 2001 2:10 PM
To: [EMAIL PROTECTED]
Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
On Tue, 8 May 2001, Curtis Call wrote:
|In other words always use authentication.
i dont think the authentication in clear text is going to
tacked or is it that they can't handle the load of
all of us hitting their site at once?
Kevin Wigle
- Original Message -
From: Andy Low
To:
Sent: Tuesday, May 08, 2001 4:33 AM
Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
> Yes, seem like that's the curren
100 permit ip any any
>
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Jacques Atlas
> > Sent: Monday, May 07, 2001 11:10 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Cisco HSRP Denial of Servic
The HSRP "exploits" aren't anything new. If you have physical access to the
target LAN, the ability to sniff packets, and the ability to send packets,
of course you can wreak havoc. Not only could you send bad HSRP packets but
you could respond to ARPs, send bad routing protocol packets, etc. e
hi
On Tue, 8 May 2001, Priscilla Oppenheimer wrote:
|Also, instead of using HSRP you could use the Virtual Router Redundancy
|Protocol (VRRP) defined in RFC 2338. VRRP is the standards-track
|replacement for HSRP. The Security Considerations section explains
|authentication options, including us
I searched the Cisco doc site and found VRRP mentioned only in relation to
the VPN3000 product. Cisco has been talking about VRRP for years. I'm
surprised it's not in more products???
Priscilla
At 02:03 PM 5/8/01, Jacques Atlas wrote:
>hi
>
>On Tue, 8 May 2001, Priscilla Oppenheimer wrote:
>
>
ccess-list will be a stop gap measure for
now.
Kevin Wigle
- Original Message -
From: Priscilla Oppenheimer
To:
Sent: Tuesday, May 08, 2001 1:38 PM
Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
> The HSRP "exploits" aren't anything new. If you ha
.
>
>But times they are a changing. The lines between LAN and WAN are blurring.
>It seems Brian's solution for an access-list will be a stop gap measure for
>now.
>
>Kevin Wigle
>
>----- Original Message -
>From: Priscilla Oppenheimer
>To:
>Sent: Tuesday,
checked the Feature Navigator for VRRP and its not even listed.
Kevin Wigle
- Original Message -
From: Priscilla Oppenheimer
To:
Sent: Tuesday, May 08, 2001 2:31 PM
Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
> I searched the Cisco doc site and found V
hi
On Tue, 8 May 2001, Priscilla Oppenheimer wrote:
|I'm surprised it's not in more products???
being surprised is something that i am getting used to ;-)
--
jacques
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3674&t=3534
--
rmit udp host 192.168.1.1 eq 1985 host 224.0.0.2 eq 1985
>access-list 100 deny udp any eq 1985 any eq 1985
>access-list 100 permit ip any any
>
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Jacques Atlas
>
y authentication c!sc0b2b
> > access-group 100 in
> >!
> >access-list 100 permit udp host 192.168.1.1 eq 1985 host
> 224.0.0.2 eq 1985
> >access-list 100 deny udp any eq 1985 any eq 1985
> >access-list 100 permit ip any any
> >
> >
> >
> > >
cols provide protection for upstream failures.
Anyway, starting to get off topic. Again, for us we have issues and I'm
glad it was posted to the list.
Kevin Wigle
- Original Message -
From: "Priscilla Oppenheimer"
To:
Sent: Tuesday, 08 May, 2001 14:54
Subject: Re: Cisco
Confirming what I had heard, that Canada has a much better grasp of last
mile solutions.
Brian
- Original Message -
From: "Kevin Wigle"
To:
Sent: Tuesday, May 08, 2001 11:46 PM
Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
> Not wishful th
Cisco uses VRRP in its Content Services Switches - CSS11000 series
CM
> -Original Message-
> From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
> Sent: 08 May 2001 19:32
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
>
&
sage-
> > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
> > Sent: 08 May 2001 19:32
> > To: [EMAIL PROTECTED]
> > Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
> >
> >
> > I searched the Cisco doc site and found VRRP mentioned
, 2001 11:55 AM
To: [EMAIL PROTECTED]
Subject:Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
What is Ethernet emulation? It's definitely true that Ethernet is being
used across long distances, if that's what you mean. With single mode
fiber-optic cabling, Ethernet can
-
From: Chuck Larrieu
To:
Sent: Wednesday, May 09, 2001 11:36 PM
Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
> Check out this link. Is this kinda what you folks are talking about here?
>
> http://www.computerworld.com/cwi/story/0,1199,NAV47_STO54671,00.html
>
On Thu, 10 May 2001, Kevin Wigle wrote:
> Unfortunately, HSRP tests the interface and not the path. I would like an
> additional keyword like:
>
> Standby DestinationIP w.x.y.z
>
> If the destination is reachable - cool, if it isn't.. failover.
>
> This I think would give us the same capa
ed. When he dials in
again he does get connected on the other router.
But yeah, GRE should work for the point-to-point ethernet.
Kevin Wigle
- Original Message -
From: ElephantChild
To: Kevin Wigle
Cc:
Sent: Thursday, May 10, 2001 12:45 PM
Subject: Re: Cisco HSRP Denial of Service Vul
28 matches
Mail list logo
