Security Basics mailing list archives

RE: Cisco Workaround

From: "Wolfpaw - Dale Corse" <admin-lists () wolfpaw net>
Date: Wed, 23 Jul 2003 22:03:25 -0600

Be aware - the hack is a Denial of Service attack, and it can be
accomplished with ANY ONE of these protocols, there is no special
combination required. Call Cisco TAC and they will give you updated
software for your device, which voids the need for the ACL.

Regards,
D.
--------------------------------
Dale Corse
System Administrator
Wolfpaw Services Inc.
http://www.wolfpaw.net
(780) 474-4095

-----Original Message-----
From: DOUGLAS GULLETT [mailto:dougg03 () comcast net]
Sent: Wednesday, July 23, 2003 1:16 PM
To: Alvaro Gordon-Escobar
Cc: firewalls () securityfocus com; security-basics () securityfocus com
Subject: Re: Cisco Workaround

I don't think you have to put all the access-list in.  I
believe that
the hack requires a certain combination of packets to the
four ports,
so leaving one or two of them open should still prevent the
hack.  That
might be a good question for Cisco TAC...they should be
willing to help
even if you "misplaced" your SmartNet contract information.  ;-)

Doug

----- Original Message -----
From: Alvaro Gordon-Escobar <alvaroge () molecularstaging com>
Date: Wednesday, July 23, 2003 10:15 am
Subject: Cisco Workaround

will this access list modification prevent my internal DNS server
from updates to it self from my telco's DNS server?

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any

Thanks in advance

~alvaro Escobar

-------------------------------------------------------------------

--------

-------------------------------------------------------------------

---------




---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Cisco Workaround, (continued)
- - RE: Cisco Workaround David Gillett (Jul 28)
- RE: Cisco Workaround Naman Latif (Jul 23)
- RE: Cisco Workaround Todd Mitchell - lists (Jul 23)
- RE: Cisco Workaround Charlie Winckless (Jul 23)
- Re: Cisco Workaround DOUGLAS GULLETT (Jul 23)
  - RE: Cisco Workaround Terry Baranski (Jul 24)
  - Re: Cisco Workaround Paul Kincaid (Jul 24)
  - RE: Cisco Workaround Dave Gilmore (Intrusense) (Jul 24)
  - Re: Cisco Workaround Kurt Seifried (Jul 24)
    - RE: Cisco Workaround David Gillett (Jul 24)
  - RE: Cisco Workaround Wolfpaw - Dale Corse (Jul 24)
  - RE: Cisco Workaround Byrne Ghavalas (Jul 24)
  - Re: Cisco Workaround john (Jul 24)
  - Re: Cisco Workaround joshua sahala (Jul 24)
  - Re: Cisco Workaround Jac (Jul 24)
- Re: Cisco Workaround Luis Enrique Londono (Jul 23)
- Re: Cisco Workaround bryan_khoo (Jul 24)
- RE: Cisco Workaround dave kleiman (Jul 24)
- Re: Cisco Workaround igenge2 (Jul 24)
- Re: Cisco Workaround Stephane Nasdrovisky (Jul 24)
- RE: Cisco Workaround Jofre, Sebastian (Jul 24)

(Thread continues...)