From: Michal Zalewski (lcamtufcoredump.cx)
Date: Sat Jul 19 2003 - 15:20:09 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 19 Jul 2003, Michal Zalewski wrote:

> This traffic is then followed by a storm of ip-proto-55 packets with
> increasing TTLs from a similar source (this is exhibit #12 in the
> museum, posted with full packet dumps and such). What's going on?

I've just realized ip-proto-55 was one of the possible vectors for the
latest Cisco IOS vulnerability, so it is possible that this particular
aspect of the observed traffic is just a DoS attempt.

The observed traffic seems to be considerably different from what is
generated by the publicly available exploit (shadowchode, see
http://www.netsys.com). This one generates considerably shorter packets
with no payload, and increases TTL subsequently, see previous post:

22:53:00.340000 80.50.156.4 > 195.117.3.59: ip-proto-55 0 (ttl 2, id
60107)

        4500 0014 eacb 0000 0237 1b01 5032 9c04
        c375 033b 0000 0000 0000 0000 0000 0000
        0000 0000 0000 0000 0000 035a 383d

I've isolated the packet, could anyone test
http://lcamtuf.coredump.cx/mine.c against a vulnerable Cisco?

Thanks again,
--
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-07-19 21:49 --

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]