ITSS Information Security Services

On this page:
Summary
Technical Details
Countermeasures
References

Summary

All Cisco devices running versions of the Internetworking Operating System (IOS) prior to 12.3, and configured to process IPv4 packets (the standard protocol in use on the Internet and in the majority of TCP/IP networks), are vulnerable to a denial of service attack [1,2]. A specific sequence of malformed IP version 4 packets can cause a Cisco interface to stop processing network traffic, by convincing the operating system that the input queue is full.

Unless a Cisco device has been explicitly configured not to accept IPv4 packets, or it has been updated to the 12.3 train of IOS releases (likely in the last month or so), it is exposed to this denial of service. A complete matrix of vulnerable IOS versions and patch levels is online in the Software Versions and Fixes section of the Cisco advisory. Administrators of Cisco devices are strongly encouraged to upgrade their version of IOS as quickly as possible, or to apply the workarounds described in the Countermeasures section below.

Routers are devices designed to process and forward a variety of types of network traffic. The most common network protocol is TCP/IP, and the vast majority of TCP/IP traffic uses version 4 of the Internet Protocol to manage its addressing and routing requirements [3]. Versions of Cisco's network device operating system (Cisco IOS) prior to 12.3 contain a flaw, which allows specifically designed network packets to fool the IOS into believing that the packet input queue on a given interface is full.

Once a sufficient number of evil packets are received, the router will stop processing traffic on the vulnerable interface. The default queue size is 75 packets. The only way to resolve the problem is to manually reboot the router. Because user input is required to clear input queues, it is trivial to make a vulnerable router completely inaccessible remotely.

To detect a router that has been subject to this category of attack, type the command show interfaces from an IOS enable prompt:

cisco#show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0050.500e.f1e0 (bia 0050.500e.f1e0)
Internet address is 172.16.1.9/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:41, output 00:00:07, output hang never
Last clearing of "show interface" counters 00:07:18
Input queue: 76/75/1091/0 (size/max/drops/flushes); Total output drops: 0

The Input queue line of the command output tells the sordid story. There are 76 packets in the input queue, which has a maximum of 75 packets.

Note also that the evil packets will not be logged by the router. So there's no way to automatically detect when a system is being attacked -- no alarms are issued when an interface becomes unavailable, and the system will not reset without manual intervention.

ITSS strongly recommends that all Cisco network administrators running vulnerable versions of the IOS upgrade immediately to prevent loss of service, due to this significant and well-publicized vulnerability.

The only other workaround suggested by Cisco is to use the IOS capability for Access Control Lists to prevent IPv4 packets from reaching particular interfaces on a vulnerable device. References for implementing this strategy are available in the Workarounds section in the Cisco advisory [1]. This must be considered a short-term solution, since for the vast majority of Cisco users, IPv4 traffic is the primary raison d'etre for the router in the first place. Disabling support for IPv4 will usually make a Cisco router unusable, or at a minimum, much more labor-intensive to maintain.

[1] Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet

[2] CERT Advisory CA-2003-15: Cisco IOS Interface Blocked by IPv4 Packet

[3] Requirements for IP version 4 Routers