This Security Response has an associated Security Advisory at:
This is Cisco's response to research presented by Robert E. Lee and
Jack Louis of Outpost24 who have announced several denial of service (DoS)
vulnerabilities that involve the manipulation of TCP state table information.
These vulnerabilities have been discussed on numerous websites and blogs,
including a presentation delivered by Lee and Louis at the T2 conference in
Helsinki, Finland on October 17, 2008.
Cisco PSIRT is aware of the vulnerabilities and is actively
investigating what impact these vulnerabilities may have on Cisco products.
PSIRT will disclose any security vulnerabilities discovered in compliance with
Cisco's security vulnerability policy:
PSIRT is working with Outpost24 and the Finnish Computer Emergency
Response Team (CERT-FI) as part of the industry response to these
vulnerabilities. An announcement from CERT-FI is available at the following
Cisco PSIRT research indicates an attacker must complete a TCP
three-way handshake to a device to successfully exploit the DoS
vulnerabilities. This requirement makes spoofing the source of an attack more
challenging. The TCP vulnerabilities that Outpost24 announced are an extension
of well-known weaknesses in the TCP protocol.
It is possible to mitigate the risk of these vulnerabilities by
allowing only trusted sources to access TCP-based services. This mitigation is
particularly important for critical infrastructure devices. PSIRT recommends
the implementation of infrastructure access control lists (IACLs) and control
plane policing (CoPP) to protect core network functionality. For more
information, reference the IACL documentation at the following links:
Information on CoPP can be found at the following links:
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's worldwide
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at