Contact Us
Cisco IOS Denial of Service Vulnerability
- URL: http://www.secureworks.com/research/threats/cisco-dos
- Date: July 18, 2003
- Author: Joe Stewart
Cisco has released an advisory concerning a denial-of-service condition on all Cisco devices that run IOS. If the device receives a specially crafted sequence of IPv4 packets, the interface will stop responding and the device will require a reboot.
An exploit for this vulnerability is in the wild. We have tested the exploit in our lab and find that it works as advertised - a complete denial of service on any interface it is run against, with no recovery until the router is rebooted.
The protocols involved are 53 (Swipe), 55 (IP Mobility), 77 (Sun ND) and 103 (Protocol Independent Multicast - PIM). If you cannot patch your router at this time, an ACL to block these protocols will be effective at nullifying the attack.
Cisco recommends the following ACLs on the advisory page at http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml:
access-list 101 deny 53 any any access-list 101 deny 55 any any access-list 101 deny 77 any any access-list 101 deny 103 any any !--- insert any other previously applied ACL entries here !--- you must permit other protocols through to allow normal !--- traffic -- previously defined permit lists will work !--- or you may use the permit ip any any shown here access-list 101 permit ip any any
Cisco also notes:
ACLs can have performance impact on certain platforms, so care should be taken when applying the recommended workarounds.
