EXAMPLES OF SPECIFIC DOS ATTACKS AGAINST CATALYST SWITCHES AND OTHER CISCO NETWORKING DEVICES

Cisco Catalyst Memory Leak DoS Vulnerability

A Telnet server running on the Catalyst firmware (CatOS) for the purpose of remote administration contains a flaw relating to a memory leak that can result in a DoS. The flaw exists due to a programming error in closing a Telnet session. A memory resource that is allocated during the start of the Telnet session is not freed at the end of the session. After a large amount of sessions, most of the system memory will be allocated to the Telnet service, resulting in a DoS. Attackers can abuse this flaw to deny access of legitimate users to the device. The abused appliance then has to be manually restarted to resume operations.

The proof of concept code has been released to test this vulnerability and is available as part (vulnerability number 11) of the CGE Perl toolkit described previously. At the end of the day, all it takes to cause the crash is to open up many Telnet connections to the unlucky switch.

Cisco Catalyst Memory Leak DoS Countermeasure

Incorrect TCP Checksum Attack Disrupting Communication Through a PIX Firewall

For a situation in which a host is located on the trusted side of the network behind the PIX firewall, it is possible to prevent a legitimate TCP connection from being established through the PIX to the host located on the other side of the firewall. To execute such an attack, a cracker would send a specifically crafted TCP packet with a set incorrect checksum through the PIX firewall, pretending that it originated from the legitimate host. He would need to specify both source and destination IPs and a client-side connection port; once such packet is received by the PIX firewall, it will cut down the attacked connection. The downtime of the cut connection is around 2 minutes, 4 secondsafter which the new connection can be established again. Such an attack does not affect the connections that are already established through the PIX.

Since it would take a lot of packets to disrupt the communication between two hosts completely, we assume that the attacker's aim is to prevent communication to a specific service on the remote hosts, such as SSH, SMTP, or TCP-syslog. In our tests, it took around 15 seconds to generate and spit out 65,535 packets with a custom source port. The attack was successfully tested on a PIX firewall 515E with 64MB of RAM performing a NAT on the external interface.

A sample Perl script, Pixdos.pl , that was used to generate the packets is available at the book's companion web site.

It might be worthwhile to investigate the effects of sending the packets with an incorrect IP checksum; this way, you may be able to disable the complete communication between two hosts through a PIX firewall.

Cisco Broadband OS TCP/IP Stack DoS Vulnerability

Cisco Systems has released a variety of broadband router devices to capture a share of the vast broadband equipment market from Motorola, Netgear, and other big players that provide affordable appliances to home and small office users. A vulnerability has been identified in a popular Cisco 600 series router running Cisco Broadband Operating System (CBOS) software that crashes the device when a large amount of traffic traverses the device. Cisco has confirmed that small routers from 605 to 678 are vulnerable to this flaw. By using any network tool that generates a large amount of traffic, such as ping , hping2 , or rain , malicious attackers can deny service to legitimate users. Attackers can also bring down these small routers with large Dynamic Host Configuration Protocol (DHCP) packets (which can be sent using Yersinia in DHCP mode) or with large Telnet packets, generated by Cisco Global Exploiter (attack number 1).

Cisco Broadband OS TCP/IP Stack DoS Countermeasures

Cisco Aironet AP1x00 Malformed HTTP GET DoS Vulnerability

A flaw has been found in the popular, industry-standard IOS-based wireless device Cisco Aironet AP 1x00 series. It is possible to cause an IOS-based Cisco Aironet Access Point to crash and reboot if the HTTP server feature is used for administrative purposes. The web management interface is enabled by default for an easy and convenient installation and setup of the device. An attacker can abuse this vulnerability by sending a specially crafted malformed HTTP request to a device, causing a reboot or a DoS condition. This flaw does not require previous authentication with the device. Taking into account the amount of unsecured wireless access points (APs) we've encountered in the wild, a script kiddie could abuse many misconfigured vulnerable Cisco APs for fun or profit. All versions of IOS prior to 12.2(8)JA running on AP1x00 series devices are reported to be vulnerable.

To determine whether your AP is vulnerable to this attack, Telnet to the device and execute the following:

 arhontus< sh ver      Cisco Internetwork Operating System Software      IOS (tm) C1100 Software (C1100-K9W7-M), Version 12.2(8)JA, EARLY      DEPLOYMENT RELEASE SOFTWARE (fc1)               ^^^^^^^^^      TAC Support: http://www.cisco.com/tac      Copyright (c) 1986-2003 by cisco Systems, Inc. 

In this example, the device is vulnerable, and shows version 12.2(8)JA of the IOS firmware.

Cisco Aironet AP1x00 Malformed HTTP GET DoS Countermeasures

 arhontus(config)# ip http access-class 10      arhontus(config)# access-list 10 permit host <IP ADDRESS OF ADMIN> 

Repeat the second command for all IP addresses that are allowed to manage Cisco applications.

Alternatively, if the HTTP service is not required for day-to-day management, you are advised to disable it in the following manner:

 arhontus(config)# no ip http server 

Cisco Catalyst Nonstandard TCP Flags Remote DoS Vulnerability

After receiving a series of malformed connection attempts to any TCP service (HTTP, Telnet, SSH), a DoS condition is triggered that disables any communications to the clients . It has been confirmed that as few as eight sequential connection attempts with nonstandard flags are required to crash a service. The flaw is present in any TCP-based service on a Catalyst switch. Network toolkits such as hping2 and rain are fully capable of carrying out this attack. Just bombard the switch with TCP packets with bizarre flag combinationseven a standard Nmap Xmas scan ( -sX ) might do. A Cisco advisory has stated that this vulnerability does not affect the traffic passing through the switch or any console-based service.

Cisco Catalyst Nonstandard TCP Flags Remote DoS Countermeasure