IP packet
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco NX-OS Malformed IP Packet Denial of
Service Vulnerability
Advisory ID: cisco-sa-20120215-nxos
Revision 1.0
+---------------------------------------------------------------------
Summary
=======
A crafted IP packet vulnerability exists in the Cisco PIX 500 Series
Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security
Appliance (ASA) that may result in a reload of the device. This
vulnerability is triggered during processing of a crafted IP packet when
the Time-to-Live (TTL) decrement feature is enabled.
Folks,
We're close to ship the IETF Internet-Draft "Security Assessment of
the Internet Protocol" for publication as an IETF RFC. The draft is
available at: http://tools.ietf.org/id/draft-ietf-opsec-ip-security-02.txt
FYI, this document is heavily based on the document "Security
Assessment of the Internet Protocol" that I wrote for CPNI a couple of
years ago, and that is available at:
http://www.cpni.gov.uk/Docs/InternetProtocol.pdf
+---------------------------------------------------------------------
Summary
=======
A crafted IP packet vulnerability exists in the Cisco PIX 500 Series
Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security
Appliance (ASA) that may result in a reload of the device. This
vulnerability is triggered during processing of a crafted IP packet when
the Time-to-Live (TTL) decrement feature is enabled.
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
IPv6 is a new Internet Protocol, designed to replace (and avoid many of
the problems with) the current Internet Protocol (version 4). Many
properties of the FreeBSD IPv6 network stack can be configured via the
ioctl(2) interface.
II. Problem Description
Hash: SHA256
Hello, folks,
We have published an IETF Internet-Draft entitled "Security Assessment of
the Internet Protocol version 4", which is heavily based on the "Security
Assessment of the Internet Protocol" that was recently released by the UK
CPNI (http://www.cpni.gov.uk/Products/technicalnotes/3677.aspx). The IETF
I-D is available at: http://www.gont.com.ar/drafts/ip-security/index.html
(and is also available at the IETF internet-drafts repository)
==============
3) The Exploit
==============
To enable telnet/ftp/tftp and web-admin interface it is necessary send a special
IP packet to router specific ip 192.168.1.1.
This works only from internal LAN where an attacker have and ip like 192.168.1.XX.
The ip packet send to router must have the following feature:
1)IP-protocol-number 255 (there's a RAW SOCKET listening on the router)
2)Payload size 8 byte
Hello, folks,
The United Kingdom's Centre for the Protection of National Infrastructure
has just released the document "Security Assessment of the Internet
Protocol", on which I have had the pleasure to work during the last year or
so.
The motivation to produce this document is explained in the Preface of the
document as follows:
Infiltrated Networks Vulnerability Disclosure
TCP/IP is broken
Overview TCP/IP
Transmission Control Protocol/Internet Protocol is the basic
communication language or protocol of the Internet. It can also be used
as a communications protocol in a private network (either an intranet or
an extranet). When you are set up with direct access to the Internet,
your computer is provided with a copy of the TCP/IP program just as
every other computer that you may send messages to or get information
> Folks,
>
> In August 2008 the UK CPNI (United Kingdom's Centre for the Protection of
> National Infrastructure) published the document "Security Assessment
> of the
> Internet Protocol". The motivation of the aforementioned document is
> explained in the Preface of the document itself. (The paper is available
> at: http://www.cpni.gov.uk/Docs/InternetProtocol.pdf )
>
> Once the paper was published by CPNI, I produced an IETF Internet-Draft
> version of the same paper, with the intent of having the IETF publish
}
Packets of the following form are generated.
Internet Protocol, Src: 192.168.1.1, Dst: 192.168.1.2
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN: 0x00)
0000 01.. = Differentiated Services Codepoint: Unknown (0x01)
.... ..0. = ECN-Capable Transport (ECT): 0
Hi Fernando,
to quote from your drafts:
> As part of the project "Security Assessment of the Internet Protocol
> version 6 (IPv6)" [CPNI-IPv6], we devised a number of techniques for
> circumventing the RA-Guard protection, which are described in the
> following sections of this document. These techniques, and the
> corresponding tools to assess their effectiveness, had so far been
> made available only to vendors, in the hopes that they could
Folks,
In August 2008 the UK CPNI (United Kingdom's Centre for the Protection of
National Infrastructure) published the document "Security Assessment of the
Internet Protocol". The motivation of the aforementioned document is
explained in the Preface of the document itself. (The paper is available
at: http://www.cpni.gov.uk/Docs/InternetProtocol.pdf )
Once the paper was published by CPNI, I produced an IETF Internet-Draft
version of the same paper, with the intent of having the IETF publish
Details
=======
SNMP defines a standard mechanism for remote management and
monitoring of devices in an Internet Protocol (IP) network.
There are three general types of SNMP operations: "get" requests to
request information, "set" requests that modify the configuration of
a remote device, and "trap" messages that provide a monitoring
function. SNMP requests and traps are transported over User Datagram
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS XR Software IP Packet
Vulnerability
Advisory ID: cisco-sa-20110525-iosxr
Revision 1.0
For Public Release 2008 March 26 1600 UTC (GMT)
Summary
=======
A device running Cisco IOS software that has Internet Protocol
version 6 (IPv6) enabled may be subject to a denial of service (DoS)
attack. For the device to be affected by this vulnerability the
device also has to have certain Internet Protocol version 4 (IPv4)
User Datagram Protocol (UDP) services enabled. To exploit this
vulnerability an offending IPv6 packet must be targeted to the
To check if SIP inspection is enabled, issue the "show service-policy
| include sip" command and confirm that output, such as what is
displayed in the following example, is returned.
ciscoasa#show service-policy | include sip
Inspect: sip , packet 0, drop 0, reset-drop 0
Alternatively, an appliance that has SIP inspection enabled has a
configuration similar to the following:
class-map inspection_default
> * OpenBSD 2.6-4.2
>
> o Idle-scanning, O/S fingerprinting, host alias
> detection, traffic analysis, TCP blind data injection,
> etc. (predictable IP fragmentation ID) in "regular" IP
> packets and raw IP packets.
>
> o Predictable IP fragmentation ID in Ethernet-inside-IP
> encapsulation, IP-inside-IP encapsulation, the CARP
> protocol, IP multicast routing, pfsync interface
> protocol, packet filter (IP packet normalization), and
!-- device.
control-plane
service-policy input control-plane-policy
Note: Because SIP can use UDP as a transport protocol, it is possible
to spoof the source address of an IP packet, which may bypass access
control lists that permit communication to these ports from trusted
IP addresses.
In the preceding CoPP example, the access control entries (ACEs) that
match the potential exploit packets with the permit action cause these
* Honeypots, network monitoring and situational awareness tools in general.
* Fighting spam, particularly spam from origin (SPF, DKIM and related
technologies. Email reputation)
* Fighting phishing and pharming
* Fighting malware
* Internet protocol security
* IPv6 security
* DNSsec
* Security of network infrastructure services (DNS, NTP, etc.)
* Web security
* DoS/DDoS response and mitigation, botnets
==========
The stunnel program is designed to work as an SSL encryption wrapper
between a remote client and a local or remote server. OCSP (Online
Certificate Status Protocol), as described in RFC 2560, is an internet
protocol used for obtaining the revocation status of an X.509 digital
certificate.
Affected packages
=================
2. EGP: Exterior Gateway Protocol
3. RIPv1: Routing Information Protocol v1
4. RIPv2: Routing Information Protocol v2
5. DCCP: Datagram Congestion Control Protocol
6. RSVP: Resource ReSerVation Protocol
7. IPSec: Internet Protocol Security (AH/ESP)
8. GRE: Generic Routing Encapsulation
9. EIGRP: Enhanced Interior Gateway Routing Protocol
10. OSPF: Open Shortest Path First
4. Exotic Protocols: Advanced options and protocol crafting for RSVP, EIGRP, OSPF and GRE were added, allowing users to make any combination while using those exotic protocols. By the way, EIGRP is a proprietary protocol developed by CISCO Systems, Inc.
that crashes the kernel.
An attacker can exploit this bug and cause a DoS, both on a specific target or
on any 2.6.38.x machine connected to the local network. To cause the crash, the
attacker must flood the target with fragmented IPv4 packets. Important fields
in the IP packet are:
* Flags: the MF flag must be set.
* Fragment ID: using pseudo-random values for this field quickly fills
fragmented queues in the victim's kernel, as it is unable to easily
* OpenBSD 2.6-4.2
o Idle-scanning, O/S fingerprinting, host alias
detection, traffic analysis, TCP blind data injection,
etc. (predictable IP fragmentation ID) in "regular" IP
packets and raw IP packets.
o Predictable IP fragmentation ID in Ethernet-inside-IP
encapsulation, IP-inside-IP encapsulation, the CARP
protocol, IP multicast routing, pfsync interface
protocol, packet filter (IP packet normalization), and
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The resolver is the part of libc that resolves hostnames (example.com) to
internet protocol (IP) addresses (192.0.2.1) and vice versa.
The inet_network() function returns an in_addr_t representing the network
address of the IP address given to inet_network() as a character string in
the dot-notation.
* Honeypots, network monitoring and situational awareness tools in general.
* Fighting spam, particularly spam from origin (SPF, DKIM and related
technologies. Email reputation)
* Fighting phishing and pharming
* Fighting malware
* Internet protocol security
* IPv6 security
* DNSsec
* Security of network infrastructure services (DNS, NTP, etc.)
* Web security
* DoS/DDoS response and mitigation, botnets
(IV) for WEP encryption when operating in client mode and WEP
authentication challenges when operating in hostap mode, which may be
insecure.
* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality
random number generator to produce unpredictable IP packet identifiers,
initial TCP sequence numbers and outgoing port numbers. During the
first 300 seconds after booting, it may be easier for an attacker to
execute IP session hijacking, OS fingerprinting, idle scanning, or in
some cases DNS cache poisoning and blind TCP data injection attacks.
|
