This information supplements the ITSS Security Alert: Denial of Service in Cisco IOS Caused by IPv4 Packets.

Cisco has revealed the protocol types for the denial of service attack packets described in its recent security advisory [1]. They are:

IP Protocol 53 -- SWIPE -- a network-layer encrypted encapsulation protocol for IP; pre-dates IPsec and seems not to have been widely implemented [2]

IP Protocol 55 -- IP Mobility -- a minimal encapsulation scheme developed to modify routing for IP datagrams [3]

IP Protocol 77 -- Sun Network Disk boot protocol -- a temporary protocol assignment that predates the invention of the Network File System [4] in 1984 [5].

IP Protocol 103 -- Protocol Independent Multicast (PIM) -- a multicast routing protocol designed to thrive in sparsely populated wide area networks, and the only one of the vulnerable protocols that appears to still be in active use and development [6,7].

Are my Ciscos vulnerable?

Network devices running Cisco IOS versions prior to the 12.3 release train contain the vulnerable software. But there are a couple of special situations that reduce or eliminate the exposure to denial of service attacks:

Interfaces that are explicitly configured to run PIM are not vulnerable to the to the protocol 103 DoS; they are, without proper filtering or an upgrade, vulnerable to the protocol 53, 55, and 77 DoS. When PIM is enabled, IP protocol 103 packets are removed from the interface input queue as part of the router's PIM management tasks, and therefore do not contribute to filling the input queue. Otherwise those packets, like the other protocols identified above, eventually fill the input queue and down the router interface. To identify interfaces configured to support PIM, look for the phrases ip pim dense-mode, ip pim sparse-mode, or ip pim sparse-dense-mode in the output from a show interface command.

In addition to using the show interface command to identify full input queues on non-responsive routers [1, earlier advisory], the show buffers command can be used to determine whether packets in an input queue are composed of the evil IP protocols:

cisco#show buffers input-interface serial 0/0
Buffer information for Small buffer at 0x612EAF3C
data_area 0x7896E84, refcount 1, next 0x0, flags 0x0
linktype 7 (IP), enctype 0 (None), encsize 46, rxtype 0
if_input 0x6159D340 (FastEthernet3/2), if_output 0x0 (None)
inputtime 0x0, outputtime 0x0, oqnumber 65535
datagramstart 0x7896ED8, datagramsize 728, maximum size 65436
mac_start 0x7896ED8, addr_start 0x7896ED8, info_start 0x0
network_start 0x7896ED8, transport_start 0x0
source: 212.176.72.138, destination: 212.111.64.174, id: 0xAAB8, ttl: 41, prot: 103

The prot: 103 response in the last line of the command output reveals that the buffer contains evil packets.

Any access control mechanism that blocks connectivity between a Cisco device and IP protocol 53, 55, 77, and 103 packets will prevent attacks based on this vulnerability from succeeding. These can be implemented in IOS Access Control Lists as described in the Workarounds section of the Cisco advisory, or may be implemented in separate devices like firewalls. IP/53, IP/55 and IP/77 are all obsolete protocols, so disabling them by blocking them at routers and/or firewalls should have no impact on production environments. IP/103 is still in use, but exposure based on PIM is reduced since the task management functionality in the IOS related to this protocol mitigates the risk of DoS.

[1] Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet

[2] swIPe: Network Layer Security for IP

[3] RFC 2004: Minimal Encapsulation Within IP

[4] Setting Up a ndbootd Server

[5] NFS History

[6] Protocol Independent Multicast Charter

[7] Protocol Independent Multicast

ITSS Information Security Services would like to thank Rob Thomas for his explanation of PIM packet scheduling on Cisco interfaces.