[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <82mxuap68f.fsf@mid.bfk.de>
Date: Fri, 02 Jul 2010 09:45:20 +0000
From: Florian Weimer <fweimer@....de>
To: "Dobbins\, Roland" <rdobbins@...or.net>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Should nmap cause a DoS on cisco routers?
* Roland Dobbins:
> On Jul 1, 2010, at 11:12 PM, Florian Weimer wrote:
>
>> And it's certainly a bug worth fixing.
>
> I doubt it's a 'bug' which can be 'fixed', just the same as sending
> enough legitimate HTTP requests to a Web server to bring it to its
> knees isn't a 'bug' which can be 'fixed', but rather a DoS which
> must be mitigated via a variety of mechanisms.
I was referring to single-packet (or single-request) crashers.
Reputable vendors still ship devices that have those bugs in 2010.
Chances are that Shang Tsung's nmap run triggered one of those. As I
wrote, it happened before. The nmap command line posted further
uptrhead does not actually cause a high pps flood. Such level of SNMP
scanning is quite common in enterprise networks because some printer
drivers use it to locate printers, so your network devices are better
prepared to handle that.
And even if you applied control plane protection, you still need to
monitor those devices from your management network. The brittleness
described in this thread makes this an extremely risky endeavor: one
typo in your Perl script, and your network is gone, even if the
monitoring station never had the credentials for enable access.
Those bugs might not be security-relevant, but they can be very
annyoing nevertheless.
--
Florian Weimer <fweimer@....de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists