Despite fears that a flaw in the software that controls most of
the routers and switches in the Internet would lead to widespread
attacks and network outages, security monitoring companies said they
have seen little indication of that happening.
The vulnerability, which affects nearly all routers and devices
running Cisco Systems Inc.'s IOS (Internetwork Operating System)
software, was disclosed July 16, and a working exploit for the flaw
hit the Internet two days later. Security experts and network
operators worried that the ubiquity of Cisco's devices on the
Internet and the easy availability of exploit code would lead to
mass attacks on vulnerable routers.
But none of that has come to pass yet.
been generally pretty quiet. The ISPs had pulled together and gotten
their patches and access control lists done," said Charles Kaplan,
senior director of research and managed security services and
information security officer at Guardent Inc., a managed security
services provider based in Waltham, Mass. "We've been getting a lot
of calls from clients asking for advice, but no one has been
screaming. It really looks like the ISPs did their jobs."
Timeline for Cisco flaw disclosure
Cisco begins informing large customers of the flaw
Cisco's official bulletin is released
Working exploit for the flaw is posted online
Attack activity begins but never reaches level
Officials at Internet Security Systems Inc., in Atlanta, reported
seeing some attack activity soon after the exploit was released. But
the activity didn't reach the levels some experts had predicted.
The vulnerability arises from IOS' failure to correctly handle
some types of IPv4 packets sent to the device. When a set number of
any of the types of packets hits the router, IOS mistakenly flags
the input queue on the network interface as being full. After a
period of time, the device stops processing traffic.
Cisco's official advisory on the subject said the packets needed
to be sent in a certain sequence. However, testing done by an
independent consultant showed this to be incorrect. In fact, attack
packets in any one of the four affected protocols can be used to
hang a vulnerable router, according to research done by Jeffrey
Sicuranza, principal consultant at Applied Methodologies Inc., a
research lab based in Wantagh, N.Y. Cisco officials eventually
amended their advisory to reflect Sicuranza's findings. The company
also went so far as to list exactly which protocols could be used to
send the offending packets to vulnerable routers, further raising
fears that widespread attacks were imminent.
The device can be forced to stop routing any traffic on any
interface and requires a complete restart to resume normal
The big ISPs and network operators were among the first to know
of the vulnerability. Cisco, based in San Jose, Calif., quietly told
the major Internet players July 16, urging them to perform emergency
upgrades on their devices. In the next 24 hours, Cisco issued an
advisory warning the public of the vulnerability, and many security
vendors and research organizations followed suit.
Since then, network operators and IT staffs have been holding
their breath, waiting to see if crackers attacked the new flaw. So
far, the mad scramble to install patches seems to have worked.
"It was a little scary when we were hearing rumors about the
vulnerability, but Cisco hadn't disclosed it yet," Guardent's Kaplan
said. "But Cisco really stepped up and took care of