Tuesday, July 22, 2003

net-tk v. 0.1

I got off my ass and wrote a simple Makefile for arp-tk, ip-tk, tcp-tk, and udp-tk and bundled them together in a package called net-tk. net-tk is a collection of tools written using Libnet that allows you to craft arp, ip, tcp and udp packets with full control over all parameters such as source and destination MAC address, IP address, ports, and all the little quirky parameters you've never heard of or never though you'd use. Enjoy.

Friday, July 18, 2003

Cisco, CYSCO, Sisqo

As many of you who have your ears to the ground (so to speak, anyway) probably already know, damn near all pieces of Cisco equipment are now vulnerable to a seemingly stupid DOS. A series of "magic packets" will reportedly fill the queue on these machines and the only fix is to reboot/reload. Patches and suggested work arounds are out, and every semi-competent admin has been running and will be running around like a chicken with its head cut off well into next week.

Its all really kinda disappointing, actually. Cisco tried to let the big players like the US goverment and major internet backbones (L3, AT&T, etc) know of the issue so they could patch asap, but the rumor leaked. People were running around like nuts wondering what was up. Rumors spread. People paniced. Incorrect information was rampant. Then Cisco officially released. They were stupidly vague in their details, and the only goodies we initially got were that ACLs that blocked all unneccesary/unused IP protocols (i.e., !{1,6,17,etc}) would protect you. That immediately led me to believe that there was a problem with how they handle rare or special IP protocols. Sure enough, a little while later, Cisco revised their advisory and stated that protocols 53, 55, 77 and 103 are to blame. Gee. If this crap were Open Source, this problem would have been discovered, fixed and exploited long, long ago. But noooo. Oh well. Have fun patching. If you are curious, ip-tk can help you test here. Also, I wrote the following Snort signatures, in case you are Snort savvy:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco SWIPE
Protocol"; ip_proto:53; classtype:attempted-dos;
reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
rev:2;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco IP
Mobility Protocol"; ip_proto:55; classtype:attempted-dos;
reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
rev:2;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco Sun ND
Protocol"; ip_proto:77; classtype:attempted-dos;
reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
rev:2;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco PIM
Protocol"; ip_proto:103; classtype:attempted-dos;
reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
rev:2;)

In other news, I've been riding every day for the past few days now. Its great. I'm finally back up to speed, and the trails are paying the price. Well, so is my bike. I got on it today and it was creaking, wobbling and grinding. I had snapped a spoke and the wheel was all out of whack, and there was like 10lbs of mud on it. I went to Georgetown-Rowley State Forest again and really embarrassed the people on ATVs and dirt bikes. For the most part I can go faster, go further, and have more fun than you guys, I'm firmly connected to my bike courtesy of my shoes and I get good exercise. Now thats cool.