[Intrusions] HSRP under attack ... or just Cisco glitch and hickup?!?
Stef
stefmit at gmail.com
Sat Nov 27 22:27:58 GMT 2004
Sorry for cross-posting - but who knows where an idea or prior
experience sharing may be coming from?!? ;)
We have just recovered from a network disaster, and I will start in a
little while looking through some logs. Meanwhile - I just thought of
picking some analyst brains here - in regards to an odd incident.
Environment: dual Cisco 6500, in HSRP mode, running 12.1(11b)E. These
two have some FastEth and GiGE blades, connecting servers, and are
also redundantly connected to some 4000s, which connect to
workstations. Same 6500s are connected (redundantly, also) to a pair
of Checkpoint firewalls, running VRRP, for Internet connectivity, and
some other Netscreen firewalls, for other type of network segregation
(very simplistic description - no need here to describe all sorts of
VLANs, as I do not deem that significant to this)
Problem: at around 3:00AM this morning there was absolut no
connectivity in the network. Specific probes, placed on some spanned
ports, for specific device monitoring, were not capturing any traffic.
No DHCP machines could get to the DHCP server. The firewall internal
interface was showing two types of messages:
1. MAD - land_attack - from the two interfaces of the 6500s connected
to it, destined to the localhost (127.0.0.1) - logged
2. protocol 112 traffic (which is VRRP) - dropped
The 6500s - if connected to the console - would just show gibberish
scrolling very fast on the terminal screen. Their utilization lights
(on the hardware itself) were showing above 90%.
The netscreens connected were the closest to having been able to
capture something significant: UDP flood from the two 6500s, on port
1985, destined to 127.0.0.1, port 1985.
This last piece of information led me to assuming something like:
http://cert.uni-stuttgart.de/archive/bugtraq/2002/06/msg00043.html
but - as I was not able to get my hands on any significant logs yet -
was left as just a possibility (and part of my question).
Under the pressure of time I have resorted to shutting down the 6500s
(one at a time), then bringing them up - and the whole problem just
vanished!
So - to the point - has anybody seen this type of flakiness in the
implementation - itself - of HSRP for Cisco, or has anybody seen an
actual attack - as described here:
http://www.securiteam.com/exploits/5CP051F4AK.html
- which would just go away upon 6500s reset (because of the temporary
nature of the original stimulus).
Obviously - both options worry me - but for two different reasons. I
have left - for now - some probes (sniffers) running, and I plan
digging further in any logs I may find, a little later on ...
TIA,
Stef
More information about the Intrusions
mailing list