                         MCI Telecommunications 

                        internetMCI Security Group


Report Title: iMCI MIIGS Security Alert 
Report Name:  Denial Of Service Attacks ; "pepsi"
Report Number: iMCISE:IMCI:122796:01:P1R1
Report Date: 12/27/96
Report Format: Formal
Report Classification: MCI Informational  
Report Reference: http://www.security.mci.net
Report Distribution: iMCI Security, 
                     MCI Internal Internet Gateway Security (MIIGS), 
                     MCI Emergency Alert LiSt (MEALS)
                     (names on file)

--------------------------------------------------------------------------- 

This is a follow up to an MCI Alert issued to the MCI alert list in September 
of this year.

					ABSTRACT

MCI has identified information relating to a Denial Of Service attack program
that is being used to specically effect the service of Cisco routers.
Although
it could be used to effect other platforms, this alert will focus on the 
Cisco router exploit.

					PROBLEM

The attack works by sending a stream of source forged UDP packets to a Cisco
router that accepts UDP and TCP ports 7, 9, 13, 19, and 113.  

When a connection is made to these ports, a small amount of priority CPU is 
used to service the requests.  When a continous stream of forged source IP 
packets is recieved by the Cisco, it can overwhelm the CPU, causing a slowdown
of processed packets, or a failure.  

SYSLOG and/or Console messages will show an error message of "%SYS-3 NOPROC: 
Process Table Full" during an attack.

This program has been in limited distribution since September of this year,
being used to effect the service of Internet connected routers.  However,
the code has recently been released in source code format to large
sections of the Internet, and it is suspected that the number of reported
attacks will be on the increase.

					SOLUTION

Users can disable the effects of this attack by issuing enabling the following
configuration commands  (10.2(9), 10.3(7), and 11.0(2) and all subsequent 
releases):

no service udp-small-servers
no service tcp-small-servers

If you identify an active attack, contact your routing vendor and your ISP
as soon as possible.  ( MCI customers can report incidents to 
http://www.security.mci.net )

For further information, please see the following URLS:

 Cisco Alert Summary:
   http://www.cisco.com/warp/public/146/917_security.html	
 Cisco Security Guide 	  
   http://www.cisco.com/univercd/data/doc/cintrnet/ics/icssecur.htm 
 DOS Attack Info
   http://www.security.mci.net/dos.html				   
 CERT Alert on UDP Attacks
   http://www.security.mci.net/advisory.pl/CERT/CA-96.01.UDP_service_denial