(ASCEND) Problem with ascend pipeline routers. (fwd)

To: ascend-users@bungi.com
Subject: (ASCEND) Problem with ascend pipeline routers. (fwd)
From: Joe Shaw <jshaw@insync.net>
Date: Thu, 28 May 1998 14:31:09 -0500 (CDT)
cc: eric@CAFFREY.NET
Sender: owner-ascend-users@max.bungi.com


It's not possible to put a 15-30 second authentication timer on the
router?  Like, you've got 15 seconds/attempt for 3 attempts at a total of
15 seconds to log in and then you're out?

Joe Shaw - jshaw@insync.net
NetAdmin - Insync Internet Services

---------- Forwarded message ----------
Date: Wed, 27 May 1998 00:57:44 -0500
From: Eric Thacker <eric@CAFFREY.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Problem with ascend pipeline routers.

Messing around with a pipeline 75 I noticed that I could keep open the
password prompt past the normal time limit by sending one character every
second.  This resets the timer to 0 and keeps the telnet session to
the router from being closed.  I opened up a second telnet to the router
and did this again.  Ascend pipeline routers only allow 2 telnet sessions,
at this point any future attempts get rejected.  I was able to keep these
connections for hours by sending data to both password prompts which would
keep anyone from configuring this router.

I wrote ascend explaining what I had done and asking them to consider
putting a time limit on the amount of time it takes to enter a password.
This is the response I got back...

-Start-

Date: Tue, 26 May 1998 14:19:30 -0700
From: support <support@ascend.com>
To: eric@caffrey.net
Subject: RE: Ticket #238563

Eric:

The pipeline has no way of telling what is a legit telnet and what is
not and because the box is meant to be accessed this way (both locally
and remotely), a firewall is the best way to restrict telnet access.

--
Ascend Communications, Inc          Service & Support
support@ascend.com
http://www.ascend.com/service

-Cut-


I really like ascend, but this is a lame way of not having to put a 45
second limit on typing in a password when connecting to a router via
telnet.

What can this do??  Someone can effictivly keep a pipeline router from
being configured by opening 2 telnet sessions to the router and sending
data every second.  The only way to stop this is to reboot the router and
telnet in before another telnet session is opened by the attacker.

Ways to fix the problem:
1. Filter all incoming telnet traffic to the router from the internet
2. Turn off telnet access and use the console port
3. Don't configure your router


Eric Thacker
System Administrator
Caffrey/Digilink Networks
eric@caffrey.net

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: (ASCEND) Thought you might be interested in...
Next by Date: Re: (ASCEND) ascend radius on linux
Prev by thread: (ASCEND) GRF grTempStatus
Next by thread: (ASCEND) Thought you might be interested in...
Index(es):
- Main
- Thread