A publicly available document on how to use how the Internet Control Message Protocol (ICMP) to launch denial-of-service attacks has prompted Cisco Systems to issue an advisory outlining a variety of vulnerable products.
"A document that describes how the ICMP could be used to perform a number of denial-of-service attacks against the Transmission Control Protocol [TCP] has been made publicly available," the San Jose, Calif.-based networking giant said in the advisory. "This document has been published through the Internet Engineering Task Force Internet Draft process, and is entitled 'ICMP Attacks Against TCP.'"
Cisco said three types of attacks can occur:
- Those using ICMP "hard" error messages;
- Those using ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery [PMTUD] attacks; and
- Those using ICMP "source quench" messages.
"Successful exploitation of attacks using crafted ICMP 'hard' error messages may
While throughput is low, Cisco warned that "the output buffer of a sending host could overflow or packets could be dropped or be unnecessarily fragmented, which may affect applications and communication efficiency. Accordingly, crafted ICMP packets could interfere with network protocols, such as the Border Gateway Protocol, Label Distribution Protocol [LDP] and Data-Link Switching [DLSw]."
The company added that a PMTUD attack could push the CPU into overdrive and that extra memory on the receiving host could be eaten up because the CPU "will spend time and memory buffers to reassemble the incoming fragmented packets."
The advisory outlines free software available to fix the vulnerabilities in Cisco's products. It also outlines a list of workarounds for IT shops that can't immediately upgrade their systems.
Vulnerable Cisco products include:
- Internetwork Operating Software [IOS]
- IOS XR
- IP Phones
- PIX Security Appliance
- Catalyst 6608 and 6624
- Cisco 11000 and 11500
- Cisco GSS
- MDS 9000
- VPN 5000 Concentrator
- Some ONS products