Chris =-=-=-=-=-=-=-=-=-=-= Chris R. Fairbanks Network Engineer WinterLAN, Inc. 2910 Telegraph Ave. Berkeley, CA 94705 Voice +1.510.486.1812 Fax +1.510.486.1796 <A HREF="http://www.wli.net/">http://www.wli.net/</A> > -----Original Message----- > From: Joe Shaw [SMTP:jshaw@insync.net] > Sent: Friday, June 27, 1997 10:07 AM > To: ascend-users@max.bungi.com > Subject: (ASCEND) Ascend DoS attack > > Problem: > Recently, we noticed a problem in Ascends microcode for the Ascend MAX > 4000 that allowed any user to request any IP address they wanted. > This > problem surfaced in the 4.x versions of code, works on 5.0Ap8, and > probably works on most of the versions of Ascend software. > It was fixed originally some time ago (or at least thats what I was > led to > believe by Ascend), but the problem resurfaced recently. It will > work, > even if you have such things as Assign Adrs and Pool only set to yes. > > The problem can be duplicated by just making your settings in windows > Dialup Networking say Specify IP Address, and then setting it to the > ip > address of a machine on the network you're connecting to. Once > connected, > I telneted from another machine to our router, and sure enough, when I > did > a show ip route xxx.xxx.xxx.xxx, it showed that it was being broadcast > via > OSPF from one of our MAXen, instead of being connected directly to > FDDI0. > I assumed I couldn't get out to the network, but in attempting to > telnet > out from the dialin box, I got to our core cisco and the other > machines on > our network. > > Possibilities: > The ability to take any IP address means that a dialin user can take > the > IP address of a DNS server, a router, anything with an IP address. In > some instances (where proxy mode is enabled on the MAX) you will be > able > to still route to some machines, while not being able to get to others > (this depends on the network setup). Also, it's possible to take the > IP > address of one machine by simply dialing up, and while doing so, you > could > possibly rcp over a password file or any other file you wanted to as > long > as the ip address of the machine is trusted. This makes any service > that > works strictly off of authenticatino of IP address extremely > vulnerable. > You could take over DNS services, grab passwords for people checking > pop > mail, and anything else you can think of. > > Solution: > After some poking around, I upgraded all the MAXen to the latest > version (5.0Ap13), which seems to have fixed the problem. I know most > Ascend users are leary of doing this, since features are fixed, then > broken in later versions of code. But, 5.0Ap13 has been working since > the > begining of this week and has proven to be stable doing multi-chasis > stacking and OSPF. > > Sidenotes: > I don't know if this will work on the MAX TNT, but I'm fairly sure it > will > work on the MAX4002, MAX4004, MAX4048, and MAX4072. If you have one > of > these units, I'd test and make sure, and if you're vulnerable, get the > latest version of code off ftp.ascend.com. > > Joe Shaw - jshaw@insync.net > NetAdmin - Insync Internet Services > Learn more, and you will never starve. > > ++ Ascend Users Mailing List ++ > To unsubscribe: send unsubscribe to > ascend-users-request@bungi.com > To get FAQ'd: <<A HREF="http://www.shore.net/~dreaming/ascend-faq">http://www.shore.net/~dreaming/ascend-faq</A>> > or <<A HREF="ftp://ftp.shore.net/members/dreaming/ascend-faq.txt">ftp://ftp.shore.net/members/dreaming/ascend-faq.txt</A>> ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request@bungi.com To get FAQ'd: <<A HREF="http://www.shore.net/~dreaming/ascend-faq">http://www.shore.net/~dreaming/ascend-faq</A>> or <<A HREF="ftp://ftp.shore.net/members/dreaming/ascend-faq.txt">ftp://ftp.shore.net/members/dreaming/ascend-faq.txt</A>> </PRE> <!--X-MsgBody-End--> <!--X-Follow-Ups--> <HR> <STRONG>Follow-Ups</STRONG>: <UL> <LI><STRONG><A HREF="msg05921.html">RE: (ASCEND) Ascend DoS attack</A></STRONG></LI> <UL> <LI><EM>From</EM>: Joe Shaw <jshaw@insync.net></LI> </UL> </UL> <!--X-Follow-Ups-End--> <!--X-References--> <!--X-References-End--> <!--X-BotPNI--> <HR> <UL> <LI>Prev by Date: <STRONG><A HREF="msg05921.html">RE: (ASCEND) Ascend DoS attack</A></STRONG> </LI> <LI>Next by Date: <STRONG><A HREF="msg05919.html">Re: (ASCEND) site rework gripe...</A></STRONG> </LI> <LI>Prev by thread: <STRONG><A HREF="msg20454.html">Re: (ASCEND) Ascend Access Control</A></STRONG> </LI> <LI>Next by thread: <STRONG><A HREF="msg05921.html">RE: (ASCEND) Ascend DoS attack</A></STRONG> </LI> <LI>Index(es): <UL> <LI><A HREF="mail582.html#05920"><STRONG>Main</STRONG></A></LI> <LI><A HREF="thrd62.html#05920"><STRONG>Thread</STRONG></A></LI> </UL> </LI> </UL> <!--X-BotPNI-End--> <!--X-User-Footer--> <!--X-User-Footer-End--> </BODY> </HTML>