Cisco Applied Mitigation Bulletin

Identifying and Mitigating Exploitation of the Cisco IOS cTCP Denial of Service Vulnerability

Advisory ID: cisco-amb-20090325-ctcp

Revision 1.0

For Public Release 2009 March 25 16:00  UTC (GMT)


Cisco Response
Device-Specific Mitigation and Identification
Additional Information
Revision History
Cisco Security Procedures
Related Information

Cisco Response

This Applied Mitigation Bulletin is a companion document to the PSIRT Security Advisory Cisco IOS cTCP Denial of Service Vulnerability and provides identification and mitigation techniques that administrators can deploy on Cisco network devices.

Vulnerability Characteristics

The Cisco IOS Easy VPN Cisco Tunneling Control Protocol (cTCP) encapsulation feature contains a vulnerability in processing malicious cTCP packets. This vulnerability can be exploited remotely without authentication and without end-user interaction. Successful exploitation of this vulnerability may cause denial of service (DoS) condition. Repeated attempts to exploit this vulnerability could result in a sustained DoS condition. The attack vector for exploitation is through cTCP packets, which use TCP port 10000 as the default port. An attacker could exploit this vulnerability using spoofed packets.

This vulnerability has been assigned CVE identifier CVE-2009-0635.

Vulnerable, non-affected and fixed software information is available in the PSIRT Security Advisory:

Mitigation Technique Overview

Cisco devices provide several countermeasures for this vulnerability. Administrators are advised to consider these protection methods to be general security best practices for infrastructure devices and the traffic that transits the network. This section of the document provides an overview of these techniques.

One component of this vulnerability, cTCP server may crash when processing a series of TCP packets (Cisco bug ID CSCsr16693) can be mitigated by the Cisco ASA 5500 Series Adaptive Security Appliance, the Cisco PIX 500 Series Security Appliance, and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers using TCP Intercept.

Cisco IOS NetFlow can provide visibility into network-based exploitation attempts using flow records.

Cisco IOS Software, Cisco ASA appliances, and Cisco PIX security appliances can provide visibility through counter values displayed in the output from show commands.

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of this vulnerability. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-Specific Mitigation and Identification

Caution: The effectiveness of any mitigation technique depends on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Specific information about mitigation and identification is available for these devices:

Cisco IOS NetFlow

Identification: Traffic Flow Identification Using NetFlow Records

Administrators can configure Cisco IOS NetFlow on Cisco IOS routers and switches to aid in the identification of traffic flows that may be attempts to exploit this vulnerability. Administrators are advised to investigate flows to determine whether they are attempts to exploit this vulnerability or whether they are legitimate traffic flows. The attack vector for exploitation is through cTCP packets using TCP port 10000 (default port).

router#show ip cache flow
IP packet size distribution (53684999 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .331 .224 .088 .087 .022 .074 .028 .001 .000 .004 .002 .000 .000 .001

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .001 .000 .001 .032 .092 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
  50 active, 65486 inactive, 5539379 added
  181719720 ager polls, 0 flow alloc failures
  Active flows timeout in 2 minutes
  Inactive flows timeout in 60 seconds
IP Sub Flow Cache, 533256 bytes
  50 active, 16334 inactive, 5539379 added, 5539379 added to flow
  0 alloc failures, 2161 force free
  1 chunk, 6 chunks added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet        5813      0.0         3    50      0.0       2.2      29.1
TCP-FTP           2968      0.0         1    49      0.0       1.6      45.4
TCP-FTPD          1826      0.0        70   843      0.0       0.6      39.2
TCP-WWW          61898      0.0        48   671      1.7      14.4      31.0
TCP-SMTP          2199      0.0         1    96      0.0       0.2      42.5
TCP-X             1719      0.0         1    42      0.0       0.0      43.6
TCP-BGP           1661      0.0         1    42      0.0       0.0      42.7
TCP-NNTP          1693      0.0         1    42      0.0       0.0      42.9
TCP-Frag             1      0.0         1    40      0.0       0.0      60.2
TCP-other      4007547      2.3         6   300     14.2       0.9      25.4
UDP-DNS          84067      0.0         4    68      0.2      26.1      48.1
UDP-NTP         138637      0.0         1    76      0.1       8.2      57.2
UDP-TFTP             4      0.0         1    28      0.0       0.0      60.3
UDP-other       529788      0.3        43   133     13.1      20.7      51.3
ICMP            491126      0.2         1    80      0.4       2.1      60.0
IGMP             71601      0.0         2    39      0.0      59.0      42.2
IPINIP               1      0.0         4   105      0.0      24.8      60.5
IPv6INIP             1      0.0         4   145      0.0      24.5      60.8
IP-other        136782      0.0        10    92      0.7      95.6      14.5
Total:         5539332      3.1         9   239     30.8       6.7      32.1

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/0 Gi0/0 06 94AD 1A29     8 
Gi0/0   Gi0/1    06 081F 2710     1 
Gi0/0   Gi0/1   06 081E 2710    18 
Gi0/0   Gi0/1   06 081D 2710    10 
Gi0/0   Gi0/1   06 081C 2710    21 
Gi0/0   Gi0/1   06 081B 2710    31 
Gi0/0   Gi0/1  06 0824 2710     1 
Gi0/0    Gi0/1    11 010A 0053   210 

In the preceding example, there are multiple flows for cTCP on TCP port 10000 (hex value 2710).

This traffic is sent to addresses within the address block, which is used by affected devices. The packets in these flows may indicate an attempt to exploit this vulnerability. Administrators are advised to compare these flows to baseline utilization for cTCP traffic sent on TCP port 10000 and also investigate the flows to determine whether they are sourced from untrusted hosts or networks.

To view only the traffic flows for cTCP packets on TCP port 10000 (hex value2710), the show ip cache flow | include SrcIf|_06_.*2710 command will display the related TCP NetFlow records as shown here:

TCP Flows

router#show ip cache flow | include SrcIf|_06_.*2710
SrcIf         SrcIPaddress     DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/0    Gi0/1    06 0B8F 2710     1 
Gi0/0    Gi0/1    06 0B8E 2710     1 
Gi0/0    Gi0/1    06 0B8D 2710     1 
Gi0/0    Gi0/1    06 0B8C 2710     1 
Gi0/0    Gi0/1    06 0B8B 2710     1

Cisco ASA, PIX, and FWSM Firewalls

Mitigation: Embryonic Connection Limiting with TCP Intercept

TCP Intercept can mitigate one component of the vulnerability: cTCP server may crash when processing a series of TCP packets (Cisco bug ID CSCsr16693) TCP Intercept will force connecting source endpoints to validate themselves through the use of SYN cookies. Administrator can configure this form of protection by using static NAT or static identity NAT for ASA, PIX, and FWSM firewalls. In addition, the ASA firewall and the Cisco PIX 500 Series Security Appliance may be configured to use TCP Intercept through the use of the Modular Policy Framework (MPF).

Additional information is available regarding on Static NAT, Static Identity NAT and the Modular Policy Framework.

In the following example, an embryonic connection limit of one will be set. This limit will, in effect, force simultaneous TCP connections to be validated using SYN cookies. The following commands will set an embryonic connection limit of one for connections to TCP port 10000 for hosts in the subnet. It is possible to use the MPF configuration method to set an embryonic connection timeout. The default is 30 seconds. In the following example, the policy is applied globally to all interfaces.

!-- Configure an access list that will be used to match on default cTCP traffic 
!-- to affected devices

access-list TCP-Intercept-ACL extended permit tcp any  eq 10000 

!-- Configure a class that uses the above-configured access list
!-- to match TCP packets that are destined to the port used by cTCP 

class-map TCP-Intercept-Class
 match access-list TCP-Intercept-ACL

!-- Add the above-configured "TCP-Intercept-Class" that matches
!-- TCP packets that are destined to the default port that
!-- is used by the cTCP feature to the default
!-- policy "global_policy" and use it to inspect 
!-- TCP traffic that transits the firewall

policy-map global_policy

!-- For the TCP-Intercept-Class, set the embryonic connection maximum to 1, 
!-- which will trigger SYN cookies when there is more than one simultaneous connection.

 class TCP-Intercept-Class
  set connection embryonic-conn-max 1 

!-- By default, the policy "global_policy" is applied 
!-- globally, which results in the inspection of 
!-- traffic that enters the firewall from all interfaces 

service-policy global_policy global

Additional information about connection limits is in the Preventing Network Attacks section of the Cisco Security Appliance Command Line Configuration Guide.

Identification: Threat Detection Statistics

TCP Intercept Statistics

Beginning with ASA and PIX version 8.0(4), TCP Intercept threat detection statistics are enabled by the threat-detection statistics tcp-intercept command documented in the Cisco Security Appliance Command Reference. These statistics reflect mitigation performed as a result of embryonic connection limits that are configured by static NAT, static identity NAT or by using the Modular Policy Framework (MPF). In the following example, the show threat-detection statistics top tcp-intercept command provides information on the top ten protected servers under attack.

ASA#show threat-detection statistics top tcp-intercept 
Top 10 protected servers under attack (sorted by average rate)
Monitoring window size: 30 mins    Sampling interval: 30 secs
<Rank> <Server IP:Port> <Interface> <Ave Rate> <Cur Rate> <Total> <Source IP (Last Attack Time)>
1 outside 12 109 22744 <various> Last: (0 secs ago)
2 outside 0 0 4 (50 secs ago)
3 outside 0 0 2 (3 mins ago)
4 outside 0 0 2 (3 mins ago)
5 outside 0 0 2 (3 mins ago)
6 outside 0 0 2 (3 mins ago)
7 outside 0 0 2 (3 mins ago)
8 outside 0 0 2 (3 mins ago)
9 outside 0 0 2 (3 mins ago)
10 outside 0 0 2 (3 mins ago)

In the preceding example, 22744 cTCP packets on TCP port 10000 that were received inbound on the interface outside have been dropped. The average rate of attack during the monitoring window was 12 packets per second, and 109 packets per second is the attack rate in the current sampling interval.

Information about configuring threat protection for the Cisco ASA 5500 Series Adaptive Security Appliance is in Configuring and Viewing Threat Statistics.

Additional Information


Revision History

Revision 1.0


Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at

Related Information

Download this document (PDF)
View Printable Version