Malformed Packet Causes Cisco Router DoS

MoreBeer writes "Patch 'em if you've got 'em... Cisco Security Advisory: Cisco IOS Malformed OSPF Packet Causes Reload states that a malformed OSPF packet can cause a router 'reload' (reboot). Vulnerable IOS versions include 12.0S, 12.2, and 12.3 ... If you're not screening OSPF at your perimeter and using OSPF Authentication, now would be a GREAT time to start."

Setup OSPF

[BoldAC]

I notice that Cisco isn't displaying this on their front page. It seems like they should be screaming for everybody to fix the problem.

Quick walkthrough that I usually reference:
Easy example how to setup OSPF Authentication

AC

Re:Setup OSPF

[w1r3sp33d]

That would be the same front page that they didn't address the IOS source theft on for several days???

I admit

[tomee]

I had to look it up. OSPF

Only IOS devices RUNNING OSPF are vulnerable

[w1r3sp33d]

That rules out most routers, and most switches. If you have followed best practices in your deployment, no internet edge device should be running OSPF so that shouldn't be a consideration, basically it should boil down to who within the company is trying to crash your routers?

What a great time to post a link to www.routergod.com! Here are the two parts of Seven of Nine's lecture on OSPF:

http://www.routergod.com/sevenofnine/

http://www.routergod.com/sevenofnine/ospf_part_2.h tml

It's your own damn fault

[JakiChan]

To be honest, if this causes trouble for you then it's your own damn fault. If you accept OSPF packets from the Internet and/or you're not doing OSPF authentication then you deserve to be pwned.

1. Don't use an IGP on an exterior interface.
2. Don't send out routing updates on subnets/interfaces that don't need it. (For those of you with L3 switches that means using the passive-interface command on your vlans.)
3. If your routing protocol offers an authentication option then use it.

I used to think these things were obvious. Then I started interviewing other "senior" network engineers and realized they may not be...

(BTW, kiddies, if you say you're a "senior network engineer" and you say that you know OSPF and I ask you if OSPF uses multicast or unicast and when does it use it/them then you had better be able to answer the question...)

Re:OpenBSD

[Understudy]

T1 cards are readily avaliable in PCI form

OpenBSD at work

Here is one example That uses 802.1Q VLANS.

# Empire Net (now known as My180.net)
An ISP in Bend, Oregon, uses OpenBSD on AMD, Intel, and Sun based hardware, for routing, firewalling, IPsec (VPN), bandwidth limiting, web hosting, database servers, network monitoring, intrusion detection, mail servers, backup servers, cache servers, and workstations. One of their OpenBSD routers handles traffic on between a T3 and eight fast ethernet ports, also with several 802.1Q VLANs to separate networks for co-location customers and business park tenants. An OpenBSD mail server handles e-mail storage/retrieval and RADIUS authentication for over 5,000 users. Several OpenBSD web servers each handle over 300 web sites.

The Frame Relay over ATM (FROATM) is supported and this card works with OpenBSD. From the website:
Sangoma's T1/E1 WAN cards have PCI bus interfaces and incorporate an integrated combination T1 and E1 DSU/CSU for a direct connection between the client's server and the demarc. The cards support major protocols including ATM, Frame Relay, PPP, HDLC and X.25 under all popular operating systems including Linux, Windows, FreeBSD, OpenBSD, Unix and Sun Solaris.

You can look at the OpenBSD hardware list for more information.

Currently Asterik (a VOIP system)is being ported to FreeBSD and OpenBSD. I am not sure if those are complete yet or not but, that can work in coordination with your Voice over ATM (VOATM) and Voice over Frame Relay (VOFR). I realize that VOFR/VOATM is not VOIP but the system is being designed with that support in mind.

I realize this may not answer all your points but it will help.