Security Incidents: cisco local director DOS.

[Bill Robbins <robbins () hostopia com>]

SecurityFocus,

If your Cisco local directors are configured to do all port mappings (0:0)
and not port-bound virtuals (port-to-port mappings), you can easily DOS
the local director by causing the "no answer reassign" to surpass its
default threshold counter of 8.

By port scanning a 0:0 VIP where the real servers are not listening
to all ports, you can easily cause the "no answer reassign" counter to
surpass the threshold which takes the real machine out of service.

During non-peak times when the amount of valid connections coming in
are limited, the threshold does not reset itself in time.  Once you have
done this with all real servers in the VIP, the VIP will be unresponsive.
You must reset the VIP to make it active again.  This could be a harmful
DOS on larger sites that have not configured their LDs correctly.

I have spoken to Cisco, they do relize the possibility of a DOS.
They recommend that people use port-bound virtuals, otherwise ensure
that your VIPs are firewalled in front of the LD.  Cisco noted they did
not see any special notes regarding security implications of not using
port-bound virtuals in their latest documentation.

This is just an FYI as local directors have a significant share of the
content switching market.  This could also be a tough one to troubleshoot.


Regards,

Bill Robbins
Hostopia.com Inc.
robbins () hostopia com
1.866.HOSTOPIA - toll free

www.hostopia.com - Wholesale Private Label Web Hosting & Email Solutions.
        "Your Hosting Utopia, start a hosting business today."



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com