Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Addressing the recent Cisco IOS bug

Reply
Thread Tools

Addressing the recent Cisco IOS bug

 
 
totojepast
Guest
Posts: n/a
 
      07-22-2003
Should the ISP prefer upgrading the IOS or filtering the trafiic using the
ACL's? According to The Register, British Telecom's "attempts to guard
against a serious security problem overnight inadvertently disrupted the
connections of a substantial minority of UK Net users this morning." ("BT
overdoses on Cisco security fix",
http://www.theregister.co.uk/content/55/31828.html).

One of the major ISP's in another European country experienced a similar
incident. Did the IOS upgrade in your network run smoothly? Had the routers
and the switches enough memory to upgrade smothly?

And have you experienced any attempts to exploit the Cisco IOS bug?


Best regrads,

TJP
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      07-22-2003
In article <(E-Mail Removed) >,
totojepast <(E-Mail Removed)> wrote:
id the IOS upgrade in your network run smoothly? Had the routers
:and the switches enough memory to upgrade smothly?

Some sites are making the classic mistake of "If you are going to
upgrade anyways, might as well upgrade to the newest release".
Not the best of ideas if you are starting several releases back

--
Admit it -- you peeked ahead to find out how this message ends!
 
Reply With Quote
 
 
 
 
RC
Guest
Posts: n/a
 
      07-22-2003
I would think an ISP's only choice would be to upgrade the IOS, I sure don't
want my ISP filtering my internet traffic, what if I actually wanted to use
these ports/protocols?


"totojepast" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Should the ISP prefer upgrading the IOS or filtering the trafiic using the
> ACL's? According to The Register, British Telecom's "attempts to guard
> against a serious security problem overnight inadvertently disrupted the
> connections of a substantial minority of UK Net users this morning." ("BT
> overdoses on Cisco security fix",
> http://www.theregister.co.uk/content/55/31828.html).
>
> One of the major ISP's in another European country experienced a similar
> incident. Did the IOS upgrade in your network run smoothly? Had the

routers
> and the switches enough memory to upgrade smothly?
>
> And have you experienced any attempts to exploit the Cisco IOS bug?
>
>
> Best regrads,
>
> TJP



 
Reply With Quote
 
Hansang Bae
Guest
Posts: n/a
 
      07-23-2003
In article <mAiTa.2137$%(E-Mail Removed)>, "RC" <rcohen@<no
spam>acsvoicedata.com> says...
> I would think an ISP's only choice would be to upgrade the IOS, I sure don't
> want my ISP filtering my internet traffic, what if I actually wanted to use
> these ports/protocols?



It's not that simple. We didn't go crazy upgrading all the routers - we
have thousands.... Why? IOS QA has been sorely lacking lately. The
bug's introduced would probably do more harm than good. For now, we'll
live with the ACL until things can be sorted out.

--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
************************************************** ******************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************
 
Reply With Quote
 
Michael Janke
Guest
Posts: n/a
 
      07-23-2003
RC
> I would think an ISP's only choice would be to upgrade the IOS, I sure don't
> want my ISP filtering my internet traffic, what if I actually wanted to use
> these ports/protocols?
>


They'd only have to block those protocols to the netblocks that they use
for their infrastructure. Presumably their infrastructure addresses are
separated from their customers address space.

If they mixed the two, they'd have a had time filtering.

--Mike

 
Reply With Quote
 
Dave Phelps
Guest
Posts: n/a
 
      07-23-2003
In article <(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed) says...
> It's not that simple. We didn't go crazy upgrading all the routers - we
> have thousands.... Why? IOS QA has been sorely lacking lately. The
> bug's introduced would probably do more harm than good. For now, we'll
> live with the ACL until things can be sorted out.
>

In defense of QA: QA has been lacking lately? This problem goes as far back as 11.0. Is
lately about the last 4 or 5 years?

So it was missed. Although a major headache for the entire world, not a single Cisco
engineer probably asked the question, "What happens if I flood the router with protocol
55 packets?" To be honest, this has been an issue since 11.0, and not a single person,
hackers, crackers, engineers, security folks, or 12-year-old anywhere in the world asked
the same question. It seems such a glaring error now that we know about it, but no one
found it in all the time that IOS has been vulnerable.

As far as what people are doing: I don't have thousands of routers, but I do have routers
that I don't feel comfortable doing a remote upgrade on. Mostly small ISP borders. I
blocked the protocols in question at the borders. I'll upgrade everything behind the
routers as I can schedule them. If someone inside causes an outage, I'll use the good old
sh buffers input-interface command to find out who did it.

--
Dave Phelps
DD Networks
www.ddnets.com
deadspam=tippenring
 
Reply With Quote
 
Steve Wolfe
Guest
Posts: n/a
 
      07-23-2003
> So it was missed. Although a major headache for the entire world, not a
single Cisco
> engineer probably asked the question, "What happens if I flood the

router with protocol
> 55 packets?" To be honest, this has been an issue since 11.0, and not a

single person,
> hackers, crackers, engineers, security folks, or 12-year-old anywhere in

the world asked
> the same question. It seems such a glaring error now that we know about

it, but no one
> found it in all the time that IOS has been vulnerable.


Umm... well, at least as far as you know.

Really. The kinds of crackers that find an exploitable bug, and
immediately go nuts with it, aren't the real crackers, they tend to be the
"wannabes". The real crackers, when they find an exploitable bug, keep it
to themselves. They don't want it discovered. It's not unheard of to
find vulnerabilities that a few individual crackers have been exploiting
for *years* before anyone found out about them.

So, does that mean that this was used before? Who knows. It's
certainly not impossible.

steve



 
Reply With Quote
 
Barry Margolin
Guest
Posts: n/a
 
      07-23-2003
In article <bfl19v$fu491$(E-Mail Removed)-berlin.de>,
Dave Phelps <(E-Mail Removed)> wrote:
>So it was missed. Although a major headache for the entire world, not a
>single Cisco
>engineer probably asked the question, "What happens if I flood the router
>with protocol
>55 packets?" To be honest, this has been an issue since 11.0, and not a
>single person,
>hackers, crackers, engineers, security folks, or 12-year-old anywhere in
>the world asked
>the same question. It seems such a glaring error now that we know about
>it, but no one
>found it in all the time that IOS has been vulnerable.


So what's your point? Sure, some bugs get discovered sooner than others --
that's been true since the beginning of the computer age. Sometimes bugs
are even well-known, but they don't get fixed until someone makes a public
demonstration of how serious they are (e.g. the sendmail "DEBUG" command
that was exploited by the Morris Worm).

--
Barry Margolin, (E-Mail Removed)
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
 
Reply With Quote
 
Evan Wagner
Guest
Posts: n/a
 
      07-24-2003
In comp.dcom.sys.cisco totojepast <(E-Mail Removed)> wrote:
> Should the ISP prefer upgrading the IOS or filtering the trafiic using the
> ACL's? According to The Register, British Telecom's "attempts to guard
> against a serious security problem overnight inadvertently disrupted the
> connections of a substantial minority of UK Net users this morning." ("BT
> overdoses on Cisco security fix",
> http://www.theregister.co.uk/content/55/31828.html).


> One of the major ISP's in another European country experienced a similar
> incident. Did the IOS upgrade in your network run smoothly? Had the routers
> and the switches enough memory to upgrade smothly?


> And have you experienced any attempts to exploit the Cisco IOS bug?


Not attempts to exploit the Cisco IOS bug, but I have noticed a few
ISPs who rolled back to unpatched versions of IOS because it broke
connectivity for a bunch of their customers.

--Evan

> Best regrads,


> TJP

 
Reply With Quote
 
Jim Kirby
Guest
Posts: n/a
 
      07-24-2003
Dave Phelps <(E-Mail Removed)> wrote in message news:<bfnscp$gskrp$(E-Mail Removed)-berlin.de>...

> I'm also asking HB to elaborate on why he thinks QA is going downhill. I'll be the first
> to admit that I'm nowhere near the router jockey that you and HB are, so admittedly my
> view of the QA issue is narrow.
>


I can elaborate, and will do so gladly. And it's not just the
software QA that is sliding. Ever since Cisco announced the 8,000
person layoff some year ago, TAC quality has fallen precipituously,
IOS quality has dropped, and hardware quality has plummeted.

Since January of this year we've had to build an IOS test lab just to
stress test any IOS upgrades before deployment. Mostly to vet the
upgrade process. Yes, this should be common practice but is not in
many small enterprises. An in fact, until a year or so ago, it really
wasn't necessarry for IOS if you stayed away from the more esoteric
trains. In the last 5 months, one of my CCNA engineers has gotten
Cisco to recognize 5 unique IOS bugs. (this was not an easy process
for him as TAC sucks)

And hardware quality is crap. Since january we are running nearly 50%
RMA rate on new purchases. For some models (Cat 4500's, 7204's and
AS5350's) we have experienced a 100% hardware failure rate. In all
cases we marked the RMA's for Engineering Fault Analysis (EFA) and so
far have not gotten a single response on why the device failed.

And don't get me started on TAC. We are in the process of moving our
support contracts, which we've had for nearly 10 years, to a third
party. Calling TAC anymore is a joke. You can't call in on anythin
less thatn a priority 2, and even then you are not guranteed to get an
engineer who knows anything about your product. We've had to request
escelation or engineer replacement, or inolve our local Cisco reps, in
100% of the cases we've opened this year, some 25-30 of them.

It used to be that Cisco had remarkably reliable products and the best
tech support in all of IT. Unfortunately they are rapidly losing this
position.

jk
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco DHCP scope and DNS server addressing seanovision Cisco 2 06-22-2007 11:19 AM
instructions on how to perform an IOS upgrade on a Catalyst 6500 switch (IOS to IOS) Mike Rahl Cisco 1 05-30-2007 05:22 PM
Cisco ASA - IP Addressing K.J. 44 Cisco 1 08-27-2006 07:58 PM
Cisco PIX 501 private addressing ping Cisco 1 12-15-2005 04:37 AM
Replace a non IOS 350 Cisco Aironet bridge with IOS Mr Corbett Cisco 5 08-19-2005 09:40 PM



Advertisments