Udp Reverse Path Messages On Fw And Dos

Full Version: Udp Reverse Path Messages On Fw And Dos

GovernmentSecurity.org > The Archives > Exploit Articles

Chris.ology

May 25 2004, 03:42 PM

Hey team, what do you think of this? My PIX acted as if a successful DoS attack was leveled against it. The logs show the following information:
3,380 events, PIX log code "1-106021""Deny udp reverse path check from 68.70.167.1 to 255.255.255.255 on outside interface"

The PIX was completely unresponsive and required a reboot. The outside interface was unable to maintain it's DHCP'd public address during this event but I just cannot see UDP saturating a 3Megabit pipe so what do you think about this? Is there a possibility that some kind of new vulnerability is being exploited on PIXes?

I don't have a packet dump but the IP listed above is an ISP gateway address.

Thanks, Chris.ology

AgentOrange

May 25 2004, 04:08 PM

I would like to see a packet dump. I think this is goes under the same class of attacks as the SYN studder. There is a similar DNS multiplier attack where you make DNS request spoofing your victims address. There should be a lot of these multiplier types of attacks in various UDP services because it is "connectionless."

Only 3,380 events... packets? Where you DoSed after that?

Peace out

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.