Cisco router vulnerable to Malicious IPv4 Packet Sequence DOS

IPv4 packets handled Cisco IOS device with protocol types of 53 (SWIPE), 55 (IP Mobility), or 77 (Sun ND), all with Time-to-Live (TTL) values of 1 or 0, and 103 (Protocol Independent Multicast – PIM) with any TTL value, may force the device to incorrectly flag the input queue on an interface as full. A full input queue will stop the device from processing inbound traffic and may result in routing protocols dropping due to dead timers.

After a 4 hours (default ARP time out time), no traffic will be processed anymore on the whole device. This exploit won’t trigger any alarm. The attacked device will be reboot to clear the input queue manually. If the attacks are repeated on all interfaces, the device will become remotely inaccessible.

Solution to this attack to update its IOS, which may cost money. Cisco recommend ACL to be applied on the interface to block unknown traffic from unknown destinations and only legimate protocol (HTTP, SIP, SMTP etc) are permitted.

Affection IOS verions could be found here. Other than IOS version detection, the only way to test this vulnerability is to exploit it by sending the crafted IPv4 packets.

Core Impact: Cisco IPv4 DoS v1.21
Cisco security advisory: Cisco IOS Interface blocked by IPv4 Packets.
Security focus: Cisco IOS Malicious IPV4 Packet Sequence Denial Of Service Vulnerability
CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet


7 Responses to “Cisco router vulnerable to Malicious IPv4 Packet Sequence DOS”

  1. December 15, 2008 at 12:11 pm

    Cisco WAAS seems good enough if you only have a few sites

  2. 2 Narendra Garg
    February 2, 2009 at 2:22 pm

    this is useful information

  3. May 4, 2009 at 3:19 pm

    Some very interesting and insightful thoughts. I like this.

  4. May 4, 2009 at 3:22 pm

    I’m looking for a good network blog,Nice information.

  5. May 4, 2009 at 3:22 pm

    I am amazed with it. It is a good thing for my research. Thanks. ^_^

  6. May 5, 2010 at 11:36 pm

    Using Cisco ASA5550 or IPS4255-K9. It auto detect Syn attack and block with on your favour. I.m running a small website but we received DDOS from China IP. My inty website was saved b/c of the Cisco IPS-4255-K9

    • 7 albertsiow
      May 6, 2010 at 1:36 am

      Cisco ASA is always good, but it could be costly (especially for personal use). Thanks for your recommendation, Nancy!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

September 2008
« Aug   Oct »

%d bloggers like this: