Addressing the recent Cisco IOS bug

Discussion in 'Cisco' started by totojepast, Jul 22, 2003.

  1. totojepast

    totojepast Guest

    Should the ISP prefer upgrading the IOS or filtering the trafiic using the
    ACL's? According to The Register, British Telecom's "attempts to guard
    against a serious security problem overnight inadvertently disrupted the
    connections of a substantial minority of UK Net users this morning." ("BT
    overdoses on Cisco security fix",
    http://www.theregister.co.uk/content/55/31828.html).

    One of the major ISP's in another European country experienced a similar
    incident. Did the IOS upgrade in your network run smoothly? Had the routers
    and the switches enough memory to upgrade smothly?

    And have you experienced any attempts to exploit the Cisco IOS bug?


    Best regrads,

    TJP
     
    totojepast, Jul 22, 2003
    #1
    1. Advertising

  2. In article <>,
    totojepast <> wrote:
    :Did the IOS upgrade in your network run smoothly? Had the routers
    :and the switches enough memory to upgrade smothly?

    Some sites are making the classic mistake of "If you are going to
    upgrade anyways, might as well upgrade to the newest release".
    Not the best of ideas if you are starting several releases back :(

    --
    Admit it -- you peeked ahead to find out how this message ends!
     
    Walter Roberson, Jul 22, 2003
    #2
    1. Advertising

  3. totojepast

    RC Guest

    I would think an ISP's only choice would be to upgrade the IOS, I sure don't
    want my ISP filtering my internet traffic, what if I actually wanted to use
    these ports/protocols?


    "totojepast" <> wrote in message
    news:...
    > Should the ISP prefer upgrading the IOS or filtering the trafiic using the
    > ACL's? According to The Register, British Telecom's "attempts to guard
    > against a serious security problem overnight inadvertently disrupted the
    > connections of a substantial minority of UK Net users this morning." ("BT
    > overdoses on Cisco security fix",
    > http://www.theregister.co.uk/content/55/31828.html).
    >
    > One of the major ISP's in another European country experienced a similar
    > incident. Did the IOS upgrade in your network run smoothly? Had the

    routers
    > and the switches enough memory to upgrade smothly?
    >
    > And have you experienced any attempts to exploit the Cisco IOS bug?
    >
    >
    > Best regrads,
    >
    > TJP
     
    RC, Jul 22, 2003
    #3
  4. totojepast

    Hansang Bae Guest

    In article <mAiTa.2137$%>, "RC" <rcohen@<no
    spam>acsvoicedata.com> says...
    > I would think an ISP's only choice would be to upgrade the IOS, I sure don't
    > want my ISP filtering my internet traffic, what if I actually wanted to use
    > these ports/protocols?



    It's not that simple. We didn't go crazy upgrading all the routers - we
    have thousands.... Why? IOS QA has been sorely lacking lately. The
    bug's introduced would probably do more harm than good. For now, we'll
    live with the ACL until things can be sorted out.

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Jul 23, 2003
    #4
  5. RC
    > I would think an ISP's only choice would be to upgrade the IOS, I sure don't
    > want my ISP filtering my internet traffic, what if I actually wanted to use
    > these ports/protocols?
    >


    They'd only have to block those protocols to the netblocks that they use
    for their infrastructure. Presumably their infrastructure addresses are
    separated from their customers address space.

    If they mixed the two, they'd have a had time filtering.

    --Mike
     
    Michael Janke, Jul 23, 2003
    #5
  6. totojepast

    Dave Phelps Guest

    In article <>, says...
    > It's not that simple. We didn't go crazy upgrading all the routers - we
    > have thousands.... Why? IOS QA has been sorely lacking lately. The
    > bug's introduced would probably do more harm than good. For now, we'll
    > live with the ACL until things can be sorted out.
    >

    In defense of QA: QA has been lacking lately? This problem goes as far back as 11.0. Is
    lately about the last 4 or 5 years?

    So it was missed. Although a major headache for the entire world, not a single Cisco
    engineer probably asked the question, "What happens if I flood the router with protocol
    55 packets?" To be honest, this has been an issue since 11.0, and not a single person,
    hackers, crackers, engineers, security folks, or 12-year-old anywhere in the world asked
    the same question. It seems such a glaring error now that we know about it, but no one
    found it in all the time that IOS has been vulnerable.

    As far as what people are doing: I don't have thousands of routers, but I do have routers
    that I don't feel comfortable doing a remote upgrade on. Mostly small ISP borders. I
    blocked the protocols in question at the borders. I'll upgrade everything behind the
    routers as I can schedule them. If someone inside causes an outage, I'll use the good old
    sh buffers input-interface command to find out who did it.

    --
    Dave Phelps
    DD Networks
    www.ddnets.com
    deadspam=tippenring
     
    Dave Phelps, Jul 23, 2003
    #6
  7. totojepast

    Steve Wolfe Guest

    > So it was missed. Although a major headache for the entire world, not a
    single Cisco
    > engineer probably asked the question, "What happens if I flood the

    router with protocol
    > 55 packets?" To be honest, this has been an issue since 11.0, and not a

    single person,
    > hackers, crackers, engineers, security folks, or 12-year-old anywhere in

    the world asked
    > the same question. It seems such a glaring error now that we know about

    it, but no one
    > found it in all the time that IOS has been vulnerable.


    Umm... well, at least as far as you know.

    Really. The kinds of crackers that find an exploitable bug, and
    immediately go nuts with it, aren't the real crackers, they tend to be the
    "wannabes". The real crackers, when they find an exploitable bug, keep it
    to themselves. They don't want it discovered. It's not unheard of to
    find vulnerabilities that a few individual crackers have been exploiting
    for *years* before anyone found out about them.

    So, does that mean that this was used before? Who knows. It's
    certainly not impossible.

    steve
     
    Steve Wolfe, Jul 23, 2003
    #7
  8. In article <bfl19v$fu491$-berlin.de>,
    Dave Phelps <> wrote:
    >So it was missed. Although a major headache for the entire world, not a
    >single Cisco
    >engineer probably asked the question, "What happens if I flood the router
    >with protocol
    >55 packets?" To be honest, this has been an issue since 11.0, and not a
    >single person,
    >hackers, crackers, engineers, security folks, or 12-year-old anywhere in
    >the world asked
    >the same question. It seems such a glaring error now that we know about
    >it, but no one
    >found it in all the time that IOS has been vulnerable.


    So what's your point? Sure, some bugs get discovered sooner than others --
    that's been true since the beginning of the computer age. Sometimes bugs
    are even well-known, but they don't get fixed until someone makes a public
    demonstration of how serious they are (e.g. the sendmail "DEBUG" command
    that was exploited by the Morris Worm).

    --
    Barry Margolin,
    Level(3), Woburn, MA
    *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
    Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
     
    Barry Margolin, Jul 23, 2003
    #8
  9. totojepast

    Evan Wagner Guest

    In comp.dcom.sys.cisco totojepast <> wrote:
    > Should the ISP prefer upgrading the IOS or filtering the trafiic using the
    > ACL's? According to The Register, British Telecom's "attempts to guard
    > against a serious security problem overnight inadvertently disrupted the
    > connections of a substantial minority of UK Net users this morning." ("BT
    > overdoses on Cisco security fix",
    > http://www.theregister.co.uk/content/55/31828.html).


    > One of the major ISP's in another European country experienced a similar
    > incident. Did the IOS upgrade in your network run smoothly? Had the routers
    > and the switches enough memory to upgrade smothly?


    > And have you experienced any attempts to exploit the Cisco IOS bug?


    Not attempts to exploit the Cisco IOS bug, but I have noticed a few
    ISPs who rolled back to unpatched versions of IOS because it broke
    connectivity for a bunch of their customers.

    --Evan

    > Best regrads,


    > TJP
     
    Evan Wagner, Jul 24, 2003
    #9
  10. totojepast

    Jim Kirby Guest

    Dave Phelps <> wrote in message news:<bfnscp$gskrp$-berlin.de>...

    > I'm also asking HB to elaborate on why he thinks QA is going downhill. I'll be the first
    > to admit that I'm nowhere near the router jockey that you and HB are, so admittedly my
    > view of the QA issue is narrow.
    >


    I can elaborate, and will do so gladly. And it's not just the
    software QA that is sliding. Ever since Cisco announced the 8,000
    person layoff some year ago, TAC quality has fallen precipituously,
    IOS quality has dropped, and hardware quality has plummeted.

    Since January of this year we've had to build an IOS test lab just to
    stress test any IOS upgrades before deployment. Mostly to vet the
    upgrade process. Yes, this should be common practice but is not in
    many small enterprises. An in fact, until a year or so ago, it really
    wasn't necessarry for IOS if you stayed away from the more esoteric
    trains. In the last 5 months, one of my CCNA engineers has gotten
    Cisco to recognize 5 unique IOS bugs. (this was not an easy process
    for him as TAC sucks)

    And hardware quality is crap. Since january we are running nearly 50%
    RMA rate on new purchases. For some models (Cat 4500's, 7204's and
    AS5350's) we have experienced a 100% hardware failure rate. In all
    cases we marked the RMA's for Engineering Fault Analysis (EFA) and so
    far have not gotten a single response on why the device failed.

    And don't get me started on TAC. We are in the process of moving our
    support contracts, which we've had for nearly 10 years, to a third
    party. Calling TAC anymore is a joke. You can't call in on anythin
    less thatn a priority 2, and even then you are not guranteed to get an
    engineer who knows anything about your product. We've had to request
    escelation or engineer replacement, or inolve our local Cisco reps, in
    100% of the cases we've opened this year, some 25-30 of them.

    It used to be that Cisco had remarkably reliable products and the best
    tech support in all of IT. Unfortunately they are rapidly losing this
    position.

    jk
     
    Jim Kirby, Jul 24, 2003
    #10
  11. totojepast

    totojepast Guest

    > Not attempts to exploit the Cisco IOS bug, but I have noticed a few
    > ISPs who rolled back to unpatched versions of IOS because it broke
    > connectivity for a bunch of their customers.


    Can anybody specify the ISP's who did that?
     
    totojepast, Jul 25, 2003
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Markus Zielonka
    Replies:
    1
    Views:
    524
    Mike P
    Jul 18, 2003
  2. Jim Willsher
    Replies:
    1
    Views:
    7,772
  3. janet_princess_2k
    Replies:
    0
    Views:
    518
    janet_princess_2k
    Aug 9, 2006
  4. A bug catalogue for bug lovers!

    , Sep 16, 2005, in forum: Digital Photography
    Replies:
    4
    Views:
    569
  5. Mike Rahl
    Replies:
    1
    Views:
    1,327
    Trendkill
    May 30, 2007
Loading...

Share This Page