mailing list archives
Re: Three possible DoS attacks against some IOS versions.
From: Sharad Ahlawat <sahlawat () cisco com>
Date: Tue, 11 Jun 2002 23:28:20 -0700
-----BEGIN PGP SIGNED MESSAGE-----
This email is in response to the BugTraq posting at
Cisco is currently working on Cisco Bug Id CSCdx82139 to ensure that
HSRP validates the destination IP address of packets received, before
processing them. This will be integrated in all new releases of IOS.
In the interim the steps documented by Shane at
could be used as best practice.
On Saturday June 8 2002 02:21, Felix Lindner wrote:
Sharad Ahlawat wrote:
an excerpt form RFC 2281 - Cisco HSRP
7. Security Considerations
It is difficult to subvert the protocol from outside the
LAN as most routers will not forward packets addressed to the
all-routers multicast address (126.96.36.199).
This does not prevent remote attacks because Cisco devices do not
validate the destination address of a HSRP packet. Unicast packets
are accepted, which can be tested using the hrsp tool at
Product Security Incident Response Team (PSIRT) Incident Manager
Phone:+1 (408) 527-6087 (Land line and Mobile)
DH/DSS key Id: 0xC12A996C
Fingerprint: 9A93 2A20 43E5 7F01 2954 C427 1A81 A898 C12A 996C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----