From: Joe Shaw [SMTP:jshaw () INSYNC NET]
Sent: Thursday, May 28, 1998 3:54 PM
To: BUGTRAQ () NETSPACE ORG
Subject: Re: Problem with ascend pipeline routers.
On Wed, 27 May 1998, Eric Thacker wrote:
Date: Tue, 26 May 1998 14:19:30 -0700
From: support <support () ascend com>
To: eric () caffrey net
Subject: RE: Ticket #238563
The pipeline has no way of telling what is a legit telnet and what
not and because the box is meant to be accessed this way (both
and remotely), a firewall is the best way to restrict telnet access.
Ascend Communications, Inc Service & Support
support () ascend com
I've forwarded this to the ascend users group (ascend-users () bungi com)
we can get Kevin Smith's (kevin () ascend com) and Matt Holdrege's
(matt () ascend com) opinion on this.
I have my own opinions on the problem. The Pipeline family has always
been a very basic, barebones line of routers with a somewhat limited
of functions. They'll do NAT, RIP, etc. but all of them only allow
two telnet sessions into the router and only one diagnostics session.
This was done to limit the resources that would be consumed so ram/cpu
wouldn't be burderend with tons of telnet sessions and/or diagnostic
sessions which can kill it's bigger brother the MAX, just like doing
debug all on a cisco will hose it.
But regardless, even if there was an idle timer on the authentication
mechanism, there are still a few problems. One problem is that even
with a login timeout, you're going to have two telnet sessions max,
is a limit placed most likely by the resources mentioned earlier.
you can just keep opening telnet sessions as soon as the others die
see if you can keep telnet access locked up. Also, as of the 5.0A
versions of code (and possibly earlier) the ascend doesn't log telnet
connections to the syslog facility. My maxen don't do it, and the
pipeline logs I've looked at don't do it. They do log incoming calls,
call up, call down, and various other events, but not telnet access.
So, tracking down who's doing this would involve a sniffer, which
not be a readily available tool to most people with pipelines as
You're right though, the best way to handle the problem is by
or filtering out telnet access. Guess this is a good selling point
their Secure Access Firewall option.
Also, I was able to knock out 3 of my Ascend Maxen by repetedly
to them. Software version was 5.0Ap51, file ti.m40. On a heavily
max, I opened two successful simultaneous telnets and it died on the
third, while another max died at four. I'm going to investigate
and I have no info on the 6.0.X versions of max code yet.
Joe Shaw - jshaw () insync net
NetAdmin - Insync Internet Services