The original report is located at
responded with the following, which is also archived at
Cisco can confirm the statement made by FX from Phenoelit in his
message "Cisco IOS OSPF exploit" posted on 2003-Feb-20. The Open Shortest Path
First (OSPF) implementation in certain Cisco IOS® software versions is
vulnerable to a denial of service if it receives a flood of neighbor
announcements in which more than 255 hosts try to establish a neighbor
relationship per interface.
One workaround for this issue is to configure OSPF MD5 authentication.
This may be done per interface or per area. For more information, refer to
documentation on configuring MD5 authentication at
Another possible workaround is to apply inbound access lists to
explicitly allow certain OSPF neighbors only, as demonstrated below.
access-list 100 permit ospf host a.b.c.x host 220.127.116.11
access-list 100 permit ospf host a.b.c.x host interface_ip
access-list 100 permit ospf host a.b.c.y host 18.104.22.168
access-list 100 permit ospf host a.b.c.y host interface_ip
access-list 100 permit ospf host a.b.c.z host 22.214.171.124
access-list 100 permit ospf host a.b.c.z host interface_ip
access-list 100 permit ospf any host 126.96.36.199
access-list 100 deny ospf any any
access-list 100 permit ip any any
Cisco IOS software versions 11.1 through 12.0 are subject to this
vulnerability. This bug has been resolved. The following versions of Cisco IOS
software are the first fixed releases, meaning that any subsequent releases
also contain the fix.
We would like to thank FX for his continued cooperation with us in the
spirit of responsible disclosure and working to increase awareness of security
For information on working with the Cisco PSIRT regarding potential
security issues, please see our contact information at
This issue was originally reported on the Bugtraq mailing list at
, and Cisco
, and with this