Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
0
Helpful
2
Replies

DOS Attack Behavior and CSS11506

Roble Mumin
Level 3
Level 3

‎05-03-2004 04:57 AM

Some Security Guy decided this morning to make a full scan for any exploits using Nessus the *NIX tool.

After he reached our two CSS11506 the both deny http, ftp or ssh sessions. The Content Redirection is still working allthough some user report it being slower than usual. Using the serial console connection i can still access the CLI.

Q: Is the behavior of not accesible services like ftp,ssh,http,etc. the cause of an successful exploit or is this a "shutdown" by design.

If this is a design behavior, can i resume the previous behavior with a command in config or priviledged mode? My current option is only a restart of both CSS.

Log from today:

--------

MAY 3 11:05:51 1/1 1494 NETMAN-4: Did not receive identification string from <Source IP>

MAY 3 11:05:51 1/1 1495 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs.

MAY 3 11:05:51 1/1 1496 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs.

MAY 3 11:05:51 1/1 1497 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs. GET / HTTP/

1.0

MAY 3 11:06:02 1/1 1498 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs. SSH-9.9-Nes

susSSH_1.0

---------

MAY 3 11:07:33 1/1 1509 NETMAN-0: Read from socket failed: errno = 0x36

MAY 3 11:09:22 1/1 1510 NETMAN-4: Did not receive identification string from <Source IP>

MAY 3 11:17:05 1/1 1511 NETMAN-0: Couldn't obtain random bytes (error 604389476)

MAY 3 11:17:05 1/1 1512 NETMAN-0: key_free: bad key type -1899582736

MAY 3 11:17:05 1/1 1513 NETMAN-4: Did not receive identification string from <Source IP>

Labels:
0 Helpful
2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

‎05-03-2004 07:23 AM

this is not by design.

Looks more like a CSS software issue following the attack.

What's the status of the content rule if you do 'sho summary' ?

Can you ping the vip addresses ?

Is the attack still going on ?

Can you try to access a vip from a locally attached device.

Finally, there was a few SSH bug fixed recently.

You may want to run the latest version if not already the case.

Regards,

Gilles.

0 Helpful

Roble Mumin
Level 3
Level 3
In response to Gilles Dufour

‎05-03-2004 09:05 AM

Too bad regarding the design issue, that means i have to restart both CSS.

When i last checked the VIP Adresses and show summary everything was looking normal. The two css are still running with bugged ssh/http service but content redirection is still working fine. That is at least the most important thing about it.

The "attack" was only this morning so everything is okay by now. But before rebooting the machines i wanted to verify if this was on purpose or like it seems to be an DOS Exploit in some way.

Regarding the Update i will check that out tomorrow. If you would like some special information for debugging purpose just let me know before i will restart the machines.

Thanks for the Feedback,

Roble

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card