[Dshield] Router Rebootarama

Scott Melnick smelnick at water.com
Tue Apr 25 15:23:47 GMT 2006


Well... First things first. You are using a Differed Release of IOS. So
tech support is going to tell you to upgrade to a release that is
stable. I also see many bug entries with this IOS version that will
cause a router to crash and reload. Things like memory leaks, etc...

Matt: As for that question, I am not 100% sure, but I do believe that a
router can crash from a DOS without creating a dump file. 


Scott Melnick 
Security Guy

> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-
> bounces at lists.dshield.org] On Behalf Of Jenkins, Matthew
> Sent: Tuesday, April 25, 2006 9:55 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Router Rebootarama
> 
> Check for a crash dump on the router.  If you have a support contract,
> Cisco may be able to analyze it for you.  I presume you are logging to
> syslog.  Was there anything upon reboot in the logs indicating a
crash?
> We had a Cisco IOS blade center switch (somewhat like a Catalyst 2950)
> crash due to an SNMP flaw.  Each time it would crash, it would log
> information pertaining to the crash to the syslog server.  I have the
> severity configured for informational.  I would think, however, that
> crash information would have been reported up near error.
> 
> A question for others:  When Cisco devices are DOS due to IOS flaws,
and
> the device reboots, should you always see a crash dump?  Or are there
> cases the device could crash and not generate a dump?
> 
> Matt
> 
> Matthew Jenkins
> Network/Server Administrator
> Fairmont State University
> 304.367.4955
> Yahoo: mljenkins
> Visit us online at www.fairmontstate.edu
> 
> 
> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Jon R. Kibler
> Sent: Tuesday, April 25, 2006 7:10 AM
> To: 'General DShield Discussion List'
> Subject: [Dshield] Router Rebootarama
> 
> Hello All,
> 
> Last week we had an incident when I was on the road where one of our
> (ancient) routers started rebooting at random. At first, I thought
> it was the router simply starting to die. Now, I am beginning to
> think otherwise. The router rebooted 14 times in a 7 hour period of
> time. At first, the reboots were occurring rather rapidly, then slowed
> to the point the last reboot was several hours after the previous
> reboot. It has now been over a week and no more reboots. I should add
> that we have full logging enabled, and the logs never showed any clue
> why the router may have been rebooting.
> 
> Thus, I am beginning to suspect that the router was somehow attacked.
> It is running IOS Version 12.1(5)YB3. All external interface ports on
> the router are closed and access attempts to them are logged. The
> internal interface on the router can be accessed from only a single
> very restricted LAN IP and all access, successful or not, is also
> logged.
> 
> Any idea what type of attack could cause such behavior?
> 
> TIA!
> Jon Kibler
> --
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
> _________________________________________
> 
> SANSFIRE 2006 - Meet ISC Handlers in Person -
> Learn about the latest in Information Security from the best
instructors
> in the world.
> 
> http://www.sans.org/sansfire006
> 
> Internet Storm Center Webcasts: http://www.sans.org/webcasts . Every
> Wednesday after patch-tuesday.
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> _________________________________________
> 
> SANSFIRE 2006 - Meet ISC Handlers in Person -
> Learn about the latest in Information Security from the best
instructors
> in the world.
> 
> http://www.sans.org/sansfire006
> 
> Internet Storm Center Webcasts: http://www.sans.org/webcasts . Every
> Wednesday after patch-tuesday.
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list