[Intrusions] HSRP under attack ... or just Cisco glitch andhickup?!?
kenneth gf brown
ken at shadowplay.net
Mon Nov 29 00:59:31 GMT 2004
ne more info... or feed back off list...
I have recently seen an outage in a client
that has simmilar equiptment..
all critical servers behind the equipt were up...
just all trafic X it suddenly dropped.
our time line was
nov 27 11:30 CST
to aprox...
nov 27 2:00 am CST.
we're investigating too
...
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Stef
> Sent: November 27, 2004 16:28
> To: General DShield Discussion List; intrusions at lists.sans.org
> Subject: [Intrusions] HSRP under attack ... or just Cisco
> glitch andhickup?!?
>
>
> Sorry for cross-posting - but who knows where an idea or
> prior experience sharing may be coming from?!? ;)
>
> We have just recovered from a network disaster, and I will
> start in a little while looking through some logs. Meanwhile
> - I just thought of picking some analyst brains here - in
> regards to an odd incident.
>
> Environment: dual Cisco 6500, in HSRP mode, running
> 12.1(11b)E. These two have some FastEth and GiGE blades,
> connecting servers, and are also redundantly connected to
> some 4000s, which connect to workstations. Same 6500s are
> connected (redundantly, also) to a pair of Checkpoint
> firewalls, running VRRP, for Internet connectivity, and some
> other Netscreen firewalls, for other type of network segregation
> (very simplistic description - no need here to describe all
> sorts of VLANs, as I do not deem that significant to this)
>
> Problem: at around 3:00AM this morning there was absolut no
> connectivity in the network. Specific probes, placed on some
> spanned ports, for specific device monitoring, were not
> capturing any traffic. No DHCP machines could get to the DHCP
> server. The firewall internal interface was showing two types
> of messages: 1. MAD - land_attack - from the two interfaces
> of the 6500s connected to it, destined to the localhost
> (127.0.0.1) - logged 2. protocol 112 traffic (which is VRRP) - dropped
>
> The 6500s - if connected to the console - would just show
> gibberish scrolling very fast on the terminal screen. Their
> utilization lights (on the hardware itself) were showing above 90%.
>
> The netscreens connected were the closest to having been able
> to capture something significant: UDP flood from the two
> 6500s, on port 1985, destined to 127.0.0.1, port 1985.
>
> This last piece of information led me to assuming something
> like:
> http://cert.uni-stuttgart.de/archive/bugtraq/2002/06/msg00043.html
> but - as I was not able to get my hands on any significant
> logs yet - was left as just a possibility (and part of my question).
>
> Under the pressure of time I have resorted to shutting down
> the 6500s (one at a time), then bringing them up - and the
> whole problem just vanished!
>
> So - to the point - has anybody seen this type of flakiness
> in the implementation - itself - of HSRP for Cisco, or has
> anybody seen an actual attack - as described here:
> http://www.securiteam.com/exploits/5CP051F4AK.html
> - which would just go away upon 6500s reset (because of the
> temporary nature of the original stimulus).
>
> Obviously - both options worry me - but for two different
> reasons. I have left - for now - some probes (sniffers)
> running, and I plan digging further in any logs I may find, a
> little later on ...
>
> TIA,
> Stef
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list