Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Cisco Security Advisory TCP DoS - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cisco Security Advisory TCP DoS

ISC reader Kurt reported that Cisco has released an advisory affecting TCP State Manipulation which cause a Denial of Service that affect multiple Cisco Products. If an attacker send TCP connections forced into long-lived or indefinite state by preventing new TCP connections from being accepted, it could possibly cause a DoS indefinitely.

Additional information on the Cisco advisory is available here.

The following products are affected:

  • Cisco IOS-XE Software
  • Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected if they are configure with specific features
  • The version of Cisco NX-OS Software that is running on Cisco Nexus 5000 and 7000 series devices
  • Scientific Atlanta customers are instructed to contact Scientific Atlanta's Technical Support for questions regarding the impact, mitigation and remediation of the vulnerabilities
  • Customers with Linksys products should contact Linksys security for questions regarding the impact, mitigation and remediation of the vulnerabilities

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org


In addition to the Cisco advisory there is some additional information and response to the issue from other vendors here ==>  - M


523 Posts
ISC Handler
Sep 8th 2009
According to the advisory, 'A device running Cisco IOS Software that is under attack will have numerous hung TCP connections in the FINWAIT1 state.'

I believe this is the issue presented in Phrack #66 and mentioned here in diary #6574 ( ). If I remember rightly, the attacker sends TCP ACKs every few minutes or so with 'win 0' which I think you can match in Linux iptables with '-m u32 --u32 0x20&0xffff=0x0', eg. for LOGging, or even DROPping (which would allow the connection to time out and reset, preventing the attack).

Sign Up for Free or Log In to start participating in the conversation!