Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft, Cisco Finally Patch TCP DoS Flaw

kdawson posted about 5 years ago | from the who-needs-a-botnet dept.

Microsoft 114

Trailrunner7 writes "Today vendors are finally releasing patches for the TCP vulnerabilities first publicized nearly a year ago that affect a huge range of networking products, including any device running a version of Cisco's IOS software, and a number of Microsoft server and desktop operating systems. Both Microsoft and Cisco released fixes for the vulnerabilities today. The Microsoft Patch Tuesday release included the fix for the TCP flaw, which affects Windows Server 2003 and 2008, as well as Windows Vista, both the 32-bit and 64-bit editions, and Windows 2000 SP4, for which no fix is coming. The TCP flaws were identified several years ago and were made public last year by two researchers at Outpost24, Jack C. Louis and Robert E. Lee. Louis, who has since died, developed a tool called Sockstress that tested for the flaw and was able to maintain extremely long-term TCP connections with remote machines using very little bandwidth."

cancel ×

114 comments

Sorry! There are no comments related to the filter you selected.

very, very old vulnerability (4, Funny)

neko the frog (94213) | about 5 years ago | (#29357733)

I mean, Robert E. Lee has been dead for *decades*.

Re:very, very old vulnerability (0, Offtopic)

palegray.net (1195047) | about 5 years ago | (#29357907)

It must have taken an army [wikipedia.org] of coders to fix these flaws.

Re:very, very old vulnerability (0)

Anonymous Coward | about 5 years ago | (#29358077)

Well, I'm glad to know it took an army to finally patch DOS and make it the leading OS again.

Re:very, very old vulnerability (1)

masshuu (1260516) | about 5 years ago | (#29361245)

It might take an army to fix a DOS vulnerability, but it only takes 1 to initiate a DoS attack

Re:very, very old vulnerability (2, Funny)

UncleTogie (1004853) | about 5 years ago | (#29358639)

It must have taken an army of coders to fix these flaws.

It was easy. They had confederates!

cotton niggers, sand niggers, rice niggers (-1, Troll)

Anonymous Coward | about 5 years ago | (#29357811)

kill all niggers

Re:cotton bots, sand bots, rice bots (1, Offtopic)

Nethead (1563) | about 5 years ago | (#29358901)

Kill all humans!

Re:cotton bots, sand bots, rice bots (0, Offtopic)

Tubal-Cain (1289912) | about 5 years ago | (#29360093)

Let's not. They're entertaining.

Hey things take time. (4, Funny)

palegray.net (1195047) | about 5 years ago | (#29357833)

Just think of all the meetings that had to be convened, coffee brewed, dinners expensed discussing the potential impact of these flaws, input from the legal department on the cost of fixing the bug versus potential liability including agreement to the shrinkwrap license that absolves MS of any liability unless a judge someday says otherwise, reading the tea leaves, God the list goes on and on.

I'm proud of them for releasing this fix in such a timely fashion.

Re:Hey things take time. (5, Insightful)

thePowerOfGrayskull (905905) | about 5 years ago | (#29358307)

Alternatively, just think of what would have happened if either of those giants had released a patch for something as fundamental as the TCP stack that introduced a new bug or worse hole; then automatically pushed it to millions of users. A year might be excessive, but considering the size of their userbases... I can understand it.

Re:Hey things take time. (3, Insightful)

ThePhilips (752041) | about 5 years ago | (#29358973)

Yes, absolutely. TCP is so complicated that only few engineers know precisely how it works and can patch the flaw. And probably it also lacks test tools. OMG. I'm so happy that it took them only a year.

/sarcams

WTF. Get real. TCP is studied and implemented as a lab assignment now in pretty much every university by all who in any way relate to network programming. Test tools and analyzers are abundant (both hardware and software) and can simulate pretty much any kind of load. There are even commercial companies selling (at size of MS and Cisco) for pennies ready suits of test cases for TCP.

Longest way: rent an analyzer (2-4 weeks longest for it to get shipped to your office), buy a suit of test cases (0 days), run the tests (1-2 days, normally less), patch the hole (1-2 days), rerun the tests (1-2 days). IOW, if they really cared, they could have released a patch within 2-3 weeks. Heck, I have seen people implementing basic TCP quicker than that.

This is simply another display of arrogance on part of big vendors. Nothing new here. Move on.

Re:Hey things take time. (5, Insightful)

Anonymous Coward | about 5 years ago | (#29359675)

WTF. Get real. TCP is studied and implemented as a lab assignment now ...

Your point that TCP programming is practiced in abundance is well taken, but my experience has taught me that anything related to network programming in general, and TCP/IP implementations in particular (particularly where interoperability between your product and TCP stacks you've never seen before is concerned) is astoundingly difficult, and that anyone who believes that they've got all the bases covered, that they've foreseen everything that could go wrong, and that they're in the clear because their tests indicates that all their stuff is RFC-compliant will be the first to get their asses kicked hard after they release their product.

Re:Hey things take time. (1)

ThePhilips (752041) | about 5 years ago | (#29360139)

True. (Wouldn't lie - I personally implemented in past only about 50% of TCP.)

Nevertheless, it's pretty well known fact that MS took their implementation of TCP from BSD which apparently doesn't have the problem. More than that they took fresh implementation from FreeBSD relatively recently for 2003 Server.

Cisco IIRC also uses FreeBSD TCP implementation.

In other words, I still fail to see the problem: likewise they could have lifted the solution for the problem from the very same source where from they took their TCP implementation originally.

If I'm not mistaken, the problem was fixed last October in Linux. I doubt it took BSD folks longer.

Re:Hey things take time. (2, Informative)

anss123 (985305) | about 5 years ago | (#29362333)

Nevertheless, it's pretty well known fact that MS took their implementation of TCP from BSD which apparently doesn't have the problem. More than that they took fresh implementation from FreeBSD relatively recently for 2003 Server.

Um, no. They took a streams BSD stack for Windows NT 3.1, but they didn't like streams for some reason and implemented their own a sockets based stack for NT3.5. See: http://www.kuro5hin.org/?op=displaystory;sid=2001/6/19/05641/7357 [kuro5hin.org]

Re:Hey things take time. (1)

MarkKB (845289) | about 5 years ago | (#29363019)

STREAMS was always meant to be a temporary solution - it was slow and clunky, but it served as a stopgap while Microsoft worked on their own TCP stack.

Incidentally, when they ported STREAMS, they also ported the command line tools ("ftp", ect)that came with them, which were themselves ports of BSD's command line tools. Since the programs worked, they saw no reason to replace them.

Of course, when the tech press discovered they were ports (via disassembly, IIRC), they went crazy about it, as tech press does. And thus was born the myth that Windows NT's network stack was based on BSD's.

(Of course, all this is moot since Microsoft completely rewrote the network stack in Vista.)

Re:Hey things take time. (2, Interesting)

shutdown -p now (807394) | about 5 years ago | (#29363097)

Nevertheless, it's pretty well known fact that MS took their implementation of TCP from BSD which apparently doesn't have the problem. More than that they took fresh implementation from FreeBSD relatively recently for 2003 Server.

It's also fairly well known that TCP/IP stack was rewritten from scratch in Vista/Win2008, with no BSD code left. So this doesn't seem to be relevant.

Re:Hey things take time. (0)

Anonymous Coward | about 5 years ago | (#29368835)

True. (Wouldn't lie - I personally implemented in past only about 50% of TCP.)

Try the remaining 50%. It gets harder somewhere around 77%.

Somewhere slightly above that point you can also get more understanding of this problem and why the grand-grandparent comment is totally irrelevant.

Re:Hey things take time. (1)

ClosedSource (238333) | about 5 years ago | (#29360011)

How comprehensive are these TCP "lab assignments" and are students allowed only RFCs as a reference?

Re:Hey things take time. (1)

ThePhilips (752041) | about 5 years ago | (#29360221)

Sometimes they are quite comprehensive BTW as they are used further for internal research. But only sometimes.

As for RFCs, in my experience few students actually read them. TCP implementation is scattered over many STDs/RFCs and gathering them together is a pain. Most prefer to cheat using some TCP book.

What you say is a valid concern. But my point was different: no way there is a technical reason for one year delay for the fix in so well known piece of software as the TCP stack. (Which in MS's case is a verbatim copy of FreeBSD's stack.)

Re:Hey things take time. (1)

ClosedSource (238333) | about 5 years ago | (#29360347)

Well, your point seemed to be that TCP was trivial.

We don't know all the details but it seems to me that there is no reason why MS and CISCO would take a year fixing it other than a technical reason.

Re:Hey things take time. (0)

Anonymous Coward | about 5 years ago | (#29363561)

As someone who just did such an assignment just a week ago we were given the RFCs, FSM diagrams and a few pages summarising the two.

Re:Hey things take time. (0)

Anonymous Coward | about 5 years ago | (#29360197)

Yet the flaw existed. These amazing tests can't be that good.

Re:Hey things take time. (1)

rliden (1473185) | about 5 years ago | (#29360485)

If the fix was so easy then the death of Jack Louis wouldn't have hampered the patch process. TFA mentions that even though he was in good contact with others and kept good notes his death caused a big slowdown in finishing the research and patch.

It's always easy to find other peoples bugs and go on about how easy it would be to fix it. It only gets hard when you're coding the bugfix and the obvious solutions aren't fixing the problem.

More than Arrogance, Marketing. (0, Troll)

inTheLoo (1255256) | about 5 years ago | (#29361913)

Another sorry lie by M$. They fixed these things in Windows 7 RTM, but not earlier versions of Windows, so that they could lie about Windows 7 having better "security" than Vista and XP [slashdot.org] . Very simple and very evil and also very obvious. The new SMB2 failure blows their little lie up even for the most ignorant of users. M$'s reputation can't get much lower.

Re:Hey things take time. (1)

jhol13 (1087781) | about 5 years ago | (#29361367)

Yes, than God it does not affect Linux!
https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html [www.cert.fi]

Oops ... well, at least Linux fixed it promptly!

http://kbase.redhat.com/faq/docs/DOC-18730 [redhat.com]
"Due to upstream's decision not to release updates, Red Hat do not plan to release updates to resolve these issues"

Oops ... well, anyway Windows suck!

Re:Hey things take time. (1)

palegray.net (1195047) | about 5 years ago | (#29361651)

Heh, RedHat isn't Linux. They're a vendor, and a completely corporate one at that. This is why I've always stuck with Debian, for the record.

Re:Hey things take time. (1)

cowbutt (21077) | about 5 years ago | (#29363403)

Um, you know what Red Hat mean when they say 'upstream', right? That means no distribution will have the fix unless they develop one themselves, since Linus isn't including one.

Re:Hey things take time. (1)

palegray.net (1195047) | about 5 years ago | (#29370339)

That's exactly my point. Other distributions (also "not Linux") fixed the problem.

This is why we're phasing out TCP. (0)

Anonymous Coward | about 5 years ago | (#29357927)

It just takes way too long for its developers to security patch.

wowzers (0, Troll)

el_tedward (1612093) | about 5 years ago | (#29357969)

So, was this something that actually took a YEAR to figure out how to fix, or did M$ just say "Security? LOLWUT? Let's spend our billions of dollars on something else, like um.. uh.. HORSE SHIT! Yeah! We need some more horse shit to fertilize the grass outside."

Quick question i'd like answered (1)

ifwm (687373) | about 5 years ago | (#29357997)

What are MS and Cisco's legal liability here?

If they're aware of a problem for this long, and provide no fix, then aren't they totally on the hook?

They should be, but somehow, I doubt it.

Re:Quick question i'd like answered (0)

Anonymous Coward | about 5 years ago | (#29361249)

And what exactly did the theoretical vulnerability do to us? I certainly never had my machine slowed down, attacked, whatever by someone trying to exploit this. Perhaps they didn't bother to fix it for this long since it was no big deal anyway?

Re:Quick question i'd like answered (1)

ifwm (687373) | about 5 years ago | (#29370549)

"And what exactly did the theoretical vulnerability do to us?"

Cost man hours to make sure it wasn't an issue.

Which is actionable, and can be brought up in a suit.

Don't worry, you're stupid, you miss simple things, you shouldn't feel bad that you're not observant or intelligent enough to understand what others who are much smarter and more informed than you are discussing.

Better Late than never? (0, Redundant)

Monkeedude1212 (1560403) | about 5 years ago | (#29358001)

I was afraid they weren't going to patch these kinds of flaws in Vista to push Windows 7. ...

What do you mean some people still prefer XP over Vista? ...

What do you mean XP isn't being patched?

Re:Better Late than never? (4, Informative)

Anonymous Coward | about 5 years ago | (#29358097)

From the MS bulletin:

Non-Affected Software
Operating System
Windows XP Service Pack 2 and Windows XP Service Pack 3*
Windows XP Professional x64 Edition Service Pack 2*

Re:Better Late than never? (1)

Monkeedude1212 (1560403) | about 5 years ago | (#29358253)

My mistake, you may now mod me "-1 RTFA"

Re:Better Late than never? (2, Funny)

bertoelcon (1557907) | about 5 years ago | (#29359273)

You must be new here, by not RTFA you get "+1 normal /. reader".

Re:Better Late than never? (1)

SEWilco (27983) | about 5 years ago | (#29361311)

My mistake, you may now mod me "-1 RTFA"

First, code a patch for "-1 RTFA".

Re:Better Late than never? (0, Troll)

dkleinsc (563838) | about 5 years ago | (#29358429)

Well, for Windows 7 you'll just have to use the SMB packet of death [slashdot.org] instead. Which is really too bad: usually Microsoft has a much better track record on backwards compatibility.

Re:Better Late than never? (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#29359179)

The BSOD exploit also works charms on Windows 2008 server. Its not just a BSOD, teardrop 2.0 now comes with remote code execution. UAC, now without those pesky popups!

Windows 7/2008, most secure OS ever, just remember not to plug them into a network.

i reall want an objective (3, Insightful)

nimbius (983462) | about 5 years ago | (#29358151)

and straightforward reason why these companies dont issue these patches sooner. "we dont have the resources" or "it just isnt hurting our bottom line yet" would be awesome to hear. i mean, if google can come out and do it then it says alot about the old guard if they cant.

Re:i reall want an objective (2, Informative)

Anonymous Coward | about 5 years ago | (#29358515)

Did you read Cisco's list [nether.net] of vulnerable hardware? It certainly takes a long time to test all of your currently supported hardware, test and release updates for all of them, many of which have multiple supported trains of software support that the fix needs to be rolled in to.

It was a joint release date (4, Informative)

Anonymous Coward | about 5 years ago | (#29359427)

Today was a joint release date. That is to say: Everyone agreed that nobody would release their fix(es) until everyone was ready.
This was done to ensure that an attacker did not reverse engineer one company's fix, and use the flaw to wreck havoc on another company's products.
 

And "Everyone" in this case includes more vendors than just Microsoft & Cisco. The firm I work for released our fix(es) for this issue today.
 

Instead of someone disclosing a security problem one month before the vendor's next scheduled patch date [slashdot.org] , wouldn't you prefer that a major remote flaw affecting hundreds of companys' products be hidden until most of them were ready to be patched?

Re:It was a joint release date (1, Insightful)

Anonymous Coward | about 5 years ago | (#29359739)

No, because I know that people who are willing to exploit the flaw already know how it works. For a start, you had to tell everyone in all the affected companies how it worked so they could fix it. And they told their sub contractors, who told some guy in India, who put in on his blog.

I'd rather reward those that fixed it fast, or told me how to work around it. And if they don't, or can't, I'd rather know about it so I can do something myself.

Put it this way, if I found out that most major manufacturers car's airbags could be remotely activated with, say, a cheap easy to build RF device, would you like me to not tell you about it for two years while the companies and their suppliers talk about it and organise to release a fix for it. All the while you are driving along not knowing that some in-the-loop terrorist is about to set of every airbag in the city, all at once?

Or would you rather I tell you so you can choose not to drive the car?

Re:It was a joint release date (0)

Anonymous Coward | about 5 years ago | (#29362639)

I rather you not brag it on everywhere so scriptkiddie dont use it to piss off people....
With YOUR fucking solution the only solution I would have is to turn off the airbag (cause no buyig a new car is not exactly a solution) and there is way bigger chance that I got in an accident than terrorists using the flaw...

You see the difference ? Giving the flaw away is a sure chance of EVERYONE being affected...Oh yeah it wil be fixed faster then what, the damage is already bigger...

Re:i reall want an objective (1)

Arainach (906420) | about 5 years ago | (#29360273)

Two reasons:

(1) Because companies have discovered that it's far better for the PC ecosystem to release patches in a coordinated system (such as "Patch Tuesday") that corporations, etc. can plan for than to release everything ASAP

(2) Because regression bugs happen, and it's important to tests hotfixes thoroughly, particularly when they affect core functionality like, say, TCP/IP networking.

Re:i reall want an objective (0)

Anonymous Coward | about 5 years ago | (#29361037)

and patch tuesday happens only once a year?

what's the point of IOS? (2, Insightful)

RelliK (4466) | about 5 years ago | (#29358185)

Obviously at the time IOS was designed, everyone would write their own special-purpose operating system for embedded devices. These days, wouldn't it make more sense to just scrap it and switch to Linux? Lots of other manufacturers are doing it (Linksys, Netgear, D-Link, etc.). This would certainly prevent this kind of embarassment.

Re:what's the point of IOS? (1, Informative)

Anonymous Coward | about 5 years ago | (#29358289)

Cisco has done this with newer platforms and code trains. Their ASA platform is based upon linux..

I think they have seen the light, but like a massive oil tanker things take time to change.

Re:what's the point of IOS? (2, Funny)

mat128 (735121) | about 5 years ago | (#29358333)

Obviously at the time IOS was designed, everyone would write their own special-purpose operating system for embedded devices. These days, wouldn't it make more sense to just scrap it and switch to Linux? Lots of other manufacturers are doing it (Linksys, Netgear, D-Link, etc.). This would certainly prevent this kind of embarassment.

you have no idea how big and dedicated the Cisco IOS is!

Re:what's the point of IOS? (1)

Paralizer (792155) | about 5 years ago | (#29358403)

Can you explain why Linux would be better suited for this?

Re:what's the point of IOS? (2, Informative)

xZgf6xHx2uhoAj9D (1160707) | about 5 years ago | (#29358643)

It's not about better suited; it's about well suited. As long as it's good enough, why not take advantage of the free maintenance all the Linux hackers do for you?

Re:what's the point of IOS? (1)

mckinleyn (1288586) | about 5 years ago | (#29358821)

Lol. Because Linux hackers are (to a corporation) incomprehensible and unreliable. They have no contract that's broken if they choose NOT to help. History (linux people fix their software pretty much always) != reliability.

Re:what's the point of IOS? (1)

xZgf6xHx2uhoAj9D (1160707) | about 5 years ago | (#29358945)

So what? Is x Linux hackers + y CISCO employees working on some code worse than y CISCO employees working on some code? If the Linux hackers don't do what you want them to do, fine, fork the code in the worst place. You're no worse off than you were just working on your own.

Re:what's the point of IOS? (0)

Anonymous Coward | about 5 years ago | (#29368543)

re. the "fork": Ask any professional developers you know what would they think if their company suddenly had to grab and maintain a 4.3 million SLOC codebase (~the size of 2.6 kernel) that they did not write, on their own - they will help with your misconceptions about the ease of "fork".

Re:what's the point of IOS? (0)

Anonymous Coward | about 5 years ago | (#29358967)

I agree that the GP's reasoning is stupid but if you have something like Linux, why not take a already well maintained kernel, add some userland tools and create a tightly integrated embedded Linux OS. The code is there so you can have your IOS guys work on kernel modifications and the like. If these companies in question aren't comfortable with Linux, there is always FreeBSD or OpenBSD, which are both equally accessible in terms of source code.

Re:what's the point of IOS? (5, Informative)

gad_zuki! (70830) | about 5 years ago | (#29359033)

First off, a lot of these embedded OSs are real time OSs. Linux vanilla isnt.

So lets say your company standardized on dd-wrt, which is popular and a solid product, but look at the recent security issue:

http://routerip/cgi-bin/;command_to_execute [routerip]

Thats right, the command goes right there and it runs as root. Thats a nightmare level security issue that CS101 students should be ashamed of, let alone from true hackers.

So imagine if linksys standardized on dd-wrt. Just clicking on http://192.168.1.1/cgi-bin/;rm-r [192.168.1.1] would destroy your router. That link could be be put everywhere on the web and would result in mass chaos.

I think a lot of companies know the quality from even the most popular OSS projects can be highly uneven and hackers are just that: hackers. They hack things together. Good design and security testing is usually an afterthought.

Re:what's the point of IOS? (1, Informative)

Anonymous Coward | about 5 years ago | (#29359701)

As if 'good design and security testing' always happens at large corporations like Cisco... right. That kind of stuff gets undercut all the time. They take the option of just waiting for the bugs to be found and patch them after the fact.

Re:what's the point of IOS? (0, Redundant)

L4t3r4lu5 (1216702) | about 5 years ago | (#29363465)

Just clicking on http://192.168.1.1/cgi-bin/;rm-r [192.168.1.1] [192.168.1.1] would destroy your router.

I don't believ

Re:what's the point of IOS? (0)

Anonymous Coward | about 5 years ago | (#29363615)

and most people realized that dd-wrt is trash from the start, I like linux, but I prefer using pfsense (m0n0wall fork) which has security first.

Oh, and another thing, the primary motivation behind DD-WRT these days is money. Not making something secure.

Re:what's the point of IOS? (3, Informative)

Nethead (1563) | about 5 years ago | (#29358451)

Juniper maybe? Of course if you think routers are from Linksys, Netgear, D-Link, etc. then we're not talking the same type of router.

Re:what's the point of IOS? (2, Informative)

Anonymous Coward | about 5 years ago | (#29358627)

Mind you, JUNOS is based on FreeBSD, not Linux.

Re:what's the point of IOS? (0)

Anonymous Coward | about 5 years ago | (#29363727)

which is just as fine
people tend to think, because theres a lot of marketing behind, that e.g. IOS is *omg teh shit super pro*
but really linux freebsd or even windows can do just the same, and with a much more simple interface (yes, IOS interface requiring years of training is horrible actually!)
there's a lot of development around needed to make a nice, stable and fast and scalable router (like with any product). i think fortinet uses linux actually for example.
i'd mention IOS has had many very important vulnerabilities, like any other software (including linux)

Re:what's the point of IOS? (1)

falzbro (468756) | about 5 years ago | (#29358535)

Cisco IOS-XR, which is not vulnerable, has a Linux kernel.

Re:what's the point of IOS? (2, Informative)

the linux geek (799780) | about 5 years ago | (#29358767)

Actually, I believe its QNX, not Linux.

Re:what's the point of IOS? (1)

falzbro (468756) | about 5 years ago | (#29358879)

Whoops, I guess I was thinking IOS-XE [cisco.com] , which is vulnerable.

Re:what's the point of IOS? (1)

Empty Threats (543523) | about 5 years ago | (#29359327)

Cisco also sells a prominent line of layer-3 switches (almost routers) based on Linux, running "NX-OS." The interface is similar to classic IOS.

(IOS-XR, however, is QNX.)

Re:what's the point of IOS? (0)

Locke2005 (849178) | about 5 years ago | (#29358805)

Linksys is owned by Cisco. Linksys makes devices that do most of what the Cisco boxes do at a fraction of the cost. If they were to switch the Cisco routers to Linux, they would effectively be telling their customers "there is no benefit to buying our high-end boxes over a Linksys router". Actually, the reason they are sticking with IOS is that people have payed and continue to pay thousands of dollars to get Cisco CCNA certification [cisco.com] . Switching to Linux would render all that training obsolete, and mean that anybody could now administer a Cisco router, instead of just highly trained professionals like Terry Childs. So, while there would be no downside for their customers if Cisco switched all their products to Linux, there would be a huge downside for Cisco's bottom line. After all, what's more important: the short term profits of your company, or the long term best interests of your customers?

Re:what's the point of IOS? (4, Insightful)

longfalcon (202977) | about 5 years ago | (#29358979)

are you kidding?

Linksys was acquired by cisco.
there is about as much difference between Linksys and cisco routers as there is between a weekend yacht and a freighter.

IOS was designed to be an enterprise embedded solution, not for some Joe Bloggs out there who needs to hook up two computers to his cable connection.

Re:what's the point of IOS? (0)

Anonymous Coward | about 5 years ago | (#29366495)

Nevertheless, Cisco makes a lot of (their) certifications obsolete with every new generation of devices. Entry level - Linksys and any other high level router are different right, but You can get high-end, Linux (no vanilla there) based router from Mikortik for example. Using linux as a term and not as case-in point hurts both of you. If IOS is designed so good, how come they have to do it so different that people have to get new certificates again.

Don't pull my leg, I am walking.

Re:what's the point of IOS? (3, Informative)

jcnnghm (538570) | about 5 years ago | (#29359113)

Too bad there isn't a -1 Wrong moderation. A high end Cisco router, and a Linksys consumer router are so fundamentally different that your assertion is laughable on its face. Perhaps the reason they are sticking with IOS is because their hardware and software is purpose built to shift orders of magnitudes more packets per second than LInksys Linux routers would ever be capable of? Watch out for the corporate conspiracy black helicopters though.

Re:what's the point of IOS? (0)

Anonymous Coward | about 5 years ago | (#29361309)

You couldn't be more wrong. A LOW END Cisco router is considerably better that a Linksys consumer router. Go do some research on a 800 Series ISR. The thing can support all kinds of features including VPN, Wifi, and EvDO interfaces.

Re:what's the point of IOS? (0)

Anonymous Coward | about 5 years ago | (#29362235)

Vyatta seem to think Linux is "good enough"

http://www.vyatta.com/ [vyatta.com]

Their white papers have some interesting figures for the pro-Cisco crowd to consider.

Re:what's the point of IOS? (2, Informative)

abigor (540274) | about 5 years ago | (#29359361)

No, you are completely wrong. You clearly have no experience whatsoever with Cisco hardware and have no idea what you're talking about.

Re:what's the point of IOS? (1)

L4t3r4lu5 (1216702) | about 5 years ago | (#29363481)

I know that my Cisco router is much better than my home D-Link router. The Cisco one:

- Is twice the size
- Requires storing in a wall mounted rack
-Cost two orders of magnitude more
- Has more fans

For all the noise it makes, it bloody well best be more efficient than my home router.

Re:what's the point of IOS? (0)

Anonymous Coward | about 5 years ago | (#29364561)

I know that my Cisco router is much better than my home D-Link router. The Cisco one:

- Is twice the size
- Requires storing in a wall mounted rack
-Cost two orders of magnitude more
- Has more fans

For all the noise it makes, it bloody well best be more efficient than my home router.

By those metrics, the IBM XT-compatible PC that is in my dad's basement is much better than the dual-core laptop I'm typing this on. The XT-compatible is at least twice the size, was much more expensive, and has more fans. The XT isn't rack-mounted, though, so maybe it's a draw.

Re:what's the point of IOS? (1)

dopodot (1559063) | about 5 years ago | (#29360609)

"IOS" has been rewritten and released half a dozen times, as NX-OS (which is Linux based), IOS-XR, IOS-XE (also Linux based), Modular IOS, and another major one in the pipeline. They all offer the same basic CLI interface that CCNA holders would be familiar with and instantly able to use.

Re:what's the point of IOS? (0)

Anonymous Coward | about 5 years ago | (#29363221)

I think my CCNA test cost $100 or something like that.

That's about what's it's worth, too, but that's besides the point.

Re:what's the point of IOS? (1)

jonnyt886 (1252670) | about 5 years ago | (#29358943)

I'd say IOS isn't just the software that runs their routers and so on, IOS is behind a product portfolio and provides Cisco with a vendor lock-in strategy (for want of a better phrase)...

Firstly, IOS is the operating system but on top of that, they can sell IOS as an individual product (even if it only comes bundled with other ones, it's good material for the marketing department) and they also have the numerous Cisco certifications that revolve around (or heavily involve) the usage of IOS.

Secondly, the lock-in thing. You train up a load of engineers to use just IOS for routers and of course the next time kit needs replacing those engineers (or their managers) will instinctively go for Cisco kit because no re-training is required. That is, of course, unless some other provider offered a product that touted benefits that outweighed these retraining costs... but I think that unlikely.

BSD (0)

Anonymous Coward | about 5 years ago | (#29359595)

Obviously at the time IOS was designed, everyone would write their own special-purpose operating system for embedded devices. These days, wouldn't it make more sense to just scrap it and switch to Linux? Lots of other manufacturers are doing it (Linksys, Netgear, D-Link, etc.). This would certainly prevent this kind of embarassment.

Juniper and Force10 use a BSD base. (As do Isilon and NetApp.)

Cisco is thought to be moving to FreeBSD as well:

http://it.toolbox.com/blogs/bsd-guru/freebsd-at-cisco-21312

All the world is not Linux.

Re:BSD (1)

dopodot (1559063) | about 5 years ago | (#29360633)

Cisco's moving towards Linux. That post is 2 years old, and they've not announced anything hinting that anything BSD will be coming out. I have a feeling they're willing to deal with the GPL (Linux) just so they don't have to adopt BSD years after Juniper did, which could be a little embarassing.

I've experiencd this bug daily in my Fortune-500. (-1, Troll)

Anonymous Coward | about 5 years ago | (#29358269)

And we can't fire administrators from Microsoft.

You see, what I like about "Free Software" is not that it costed money to buy but because the Software is not administratively held forever going back to the company that created and sold it (unlike the constant revisions from Microsoft). When that kike Richard Mathew Stallman means to say is just software that you can choose whom to maintain, and it just so happens that his Free software also costed as free if not for the CD to burn it onto.

I've been wanting to fire Microsoft from maintaining my Windows XP for a long time, but it looks more like their software is not for sale because they wouldn't sell me the code with the controlling language and dialects.

Microsoft gets an F.

Re:I've experiencd this bug daily in my Fortune-50 (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#29358499)

Did you seriously just call him a kike?

Re:I've experiencd this bug daily in my Fortune-50 (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#29358541)

And we can't fire administrators from Microsoft

FOSS developers fire their users.

Realistic impact? (1)

ACMENEWSLLC (940904) | about 5 years ago | (#29358321)

This is something the press would be screaming end of the Internet if they got their hands on it.

What's the reality? Is this easy to exploit and is the Internet going to come crashing down?

Re:Realistic impact? (1)

afidel (530433) | about 5 years ago | (#29360877)

It's like a SYN flood for most products (possible resource exhaustion) though all unpatched Vista derivatives (Vista, Server 2008, Win7, Server 2008 R2) have remote code vulnerabilities. Basically if you are upatched and someone wants to they can fill up the TCP memory on anything of yours that talks to the internet and knock that service or device offline while requiring very little resources on their part.

Windows 2000 (W2K) SP4... (3, Interesting)

antdude (79039) | about 5 years ago | (#29358507)

http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx [microsoft.com] mentioned no updates for Windows 2000 SP4 because it requires a major change in operating system (OS). If no fixes, then what will stop it? Hardware routers and/or software firewalls for those who still use it?

Re:Windows 2000 (W2K) SP4... (0)

Anonymous Coward | about 5 years ago | (#29359171)

Windows 2000 is dead. This is a trick Microsoft does to force you to upgrade to their newer, crappier, versions of Windows. I wouldn't mind upgrading to XP too much, since the only really evil thing in it is activation, but XP isn't available. I'd have to upgrade to Vista or 7, which are both very evil. Instead, I will use OpenBSD.

Free software can't play this trick, because if the author stops supporting the software, or starts adding evil features, it can just be forked.

Re:Windows 2000 (W2K) SP4... (0)

Anonymous Coward | about 5 years ago | (#29359749)

When they code these 'evil features' in, does the code turn to red as they type it?

Fellow AC: Consider Windows Server 2003, it's good (0)

Anonymous Coward | about 5 years ago | (#29360117)

"Windows 2000 is dead. This is a trick Microsoft does to force you to upgrade to their newer, crappier, versions of Windows. I wouldn't mind upgrading to XP too much, since the only really evil thing in it is activation, but XP isn't available. I'd have to upgrade to Vista or 7, which are both very evil. Instead, I will use OpenBSD" - by Anonymous Coward on Tuesday September 08, @07:17PM (#29359171)

Windows Server 2003 is the BEST Windows going, imo @ least: Much of the best of VISTA (since it IS the codebase for it, but, without the downsides, like:

1.) DRM (This one's KILLING MS imo... folks like their copied films/tunes etc. et al, & when you stop providing what folks like? They LEAVE... or, don't buy into it!)
2.) WGA (afaik, this ISN'T in it, but here? I might be "off/wrong" though - correct me if so guys, thanks)
3.) HOSTS files being unable to use 0 anymore as a blocking IP address for bad hostnames/domains (& instead now, you have to use the larger/slower 0.0.0.0 or 127.0.0.1)
4.) WFP single part defense alongside NDIS6, in VISTA onwards, which the folks @ rootkit.com are even saying is easier to "unhook & bypass" vs. the older 3 part/3 driver/3 diff. layer "greek phalanx"/"Zone Defense" pre-VISTA Windows used
5.) OpenGL ICD (this isn't SO bad, because you can get a driver from your vidcard maker that has one... but, it's bad enough, tearing out a 3d Graphical display std. that has "stood the test of time" & is easy enough to code around too, but it IS a "crippling/removal of a good feature" in an OS... &, imo @ least, only done imo to "snuff out" OpenGL in favor of DirectX 10)

(Those are some of the things that "bug me" about VISTA onwards... there are probably more, but that will do for now & that's all that "springs to mind" here on short-notice)

AND, Windows Server 2003 installs, by default, in a "WorkStation/Pro" mode, rather than full-blown server (if you need those components, e.g.-> IIS etc.? You add them, as needed, only... but, they do NOT install by default) - it's really nice!

It's MY personal "Favorite model" of Windows to date, in fact... it's the BEST of Windows XP, & Windows 2000 in the GUI as well!

(Just some "food 4 thought" for your consideration is all!)

APK

P.S.=> Just something to keep in mind... & I *THINK* why Microsoft isn't updating Windows 2000 on this, is for the very reasons you noted: To "snuff it out", so folks buy into "WGA" policed models of Windows really (from a business "POV", it does make sense though, even if I do NOT agree with it myself personally as you do not) & the fact that the Layered Service Provider (LSP) lib/dll used in Windows 2000 is RDR20.DLL, instead of the newer one used in Windows XP/Server 2003/VISTA/Server 2008/Windows 7, of MSWSOCK.DLL... that might not be ALL of it, but I wager, it is a large part of why this is going on! apk

Win2k LSP 4 TCP/IP = RDR20.DLL, others MSWSOCK.DLL (0)

Anonymous Coward | about 5 years ago | (#29359759)

I'd STRONGLY wager that the reason WHY Windows 2000 doesn't have a "fix", or an easy fix rather, is because if you look @ its LSP (Layered Service Provider List) in the registry?

The one listed for "TCP/IP" is RDR20.DLL in Windows 2000, & it's NOT THAT for Windows XP/Windows Server 2003 etc. et al (all of Win2k's descendants)... it is MSWSOCK.DLL for the later editions.

APK

P.S.=> Just a guess, but, I'd wager that has a "little something to do with it" - & that's where the problem lies (or, @ least, partially so)... apk

TCP/IP Filtering stalls this bug in Windows 2000 (2, Informative)

Anonymous Coward | about 5 years ago | (#29360367)

See subject-line, & this quote from the pages @ MS on how to "mitigate" this type of attack (easily done really):

http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx [microsoft.com]

"To help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature"

I cover how to do that (& really, EVERYONE should on Windows 2000/XP/Server 2003, because it acts as another "layer" of defense, for "layered security" above & beyond std. firewalling, because it uses ipfltdrv.sys, which acts PERFECTLY FINE alongside all other defenses)

I cover a LOT of this here, & IP FILTERING'S VERY EASY TO SETUP (you may want to refer to the IANA ports list though, for YOUR particular needs, it does help):

-----

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "Fun-to-Do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=33555fc937017deab726a927c1c4a7fd&showtopic=2662 [tcmagazine.com]

(You MAY want to look @ points #3 - #5 there, they cover IP Filtering, IPSec, & more... specifically in regards to this, & protecting yourself vs. it, on Windows 2000... it SHOULD work, according to MS, & it is JUST GOOD "LAYERED SECURITY" anyhow!)

-----

Now, the IP FILTERING (ipfltdrv.sys) works PERFECTLY FINE alongside ipnat.sys (firewall driver), & ipsec.sys (IP Security Policies) too... all of them, alongside TCP FILTERING, work fine "all @ once"/"concurrently"... + of course, alongside tcpip.sys, the base IP driver)

The 3 other drivers work @ DIFFERENT LAYERS of the IP stack around tcpip.sys, making them function PRETTY MUCH like a "Zone Defense"/"Greek Phalanx", so if you take 1 down? The others are STILL IN THE WAY... it's neat - too bad MS did away with that w/ VISTA onwards now using the single layer (& thus, single "lock" only) WFP + NDIS6, which even the folks @ ROOTKIT.COM are stating is "much easier to unhook & bypass" vs. the older model whose architecture I just laid out...))

APK

P.S.=> Enjoy, that OUGHT to help you Windows 2000 folks out there, vs. this "bug"... do I think MS could fix it? Sure, but it'd "hurt business"... replace RDR20.DLL with MSWSOCK.DLL (for LSP/Layered Service Providers), the latter being what XP/Server 2003/VISTA onwards use, & it could be fixed imo... but, "that's business" for you! apk

Re:Windows 2000 (W2K) SP4... (0)

Anonymous Coward | about 5 years ago | (#29362861)

an upgrade?

Re:Windows 2000 (W2K) SP4... (0)

Anonymous Coward | about 5 years ago | (#29362899)

Upgrading from a 9 year old peice of software?

Re:Windows 2000 (W2K) SP4... (1)

fbwhrdpmtajg (1452033) | about 5 years ago | (#29362951)

Just schedule a reboot, hopefully you are transitioning away from it for critical systems since all security fixes for it will stop in 10 months anyway.

Re:Windows 2000 (W2K) SP4... (1)

paganizer (566360) | about 5 years ago | (#29362985)

1st off, I can't duplicate it for Win2k. I'm using Windows 2000 Advanced Server as my testing machine, but that really shouldn't be an issue.
2nd off, the release says the worst possible thing that can happen to Win2k is a DoS; the intense hatred microsoft has for people still using Win2k makes me think that they are possible telling an untruth.
3rd off, I'd be sort of suspicious when the same thing applies to Win2k3 also; they aren't making money from windows 2003 these days, only the operating systems that ARE drastically affected by the problem.
Regardless, with either Win2k or Win2k3, set it up right and you don't have to worry about it. TCP/IP filtering for the win. Tiny personal Firewall v2.x doesn't hurt.

DoS flaw, really? (1)

miffo.swe (547642) | about 5 years ago | (#29359355)

In Microsofts case i read the bulletin as it allows remote code execution in w2k8 and Vista. Thats very unpleasant considering it happens in the TCP/IP level and not higher up. Im no hacker but from what i can understand this exploit allows a hacker to own ANY affected system directly over the internet as long as any port on that target is accessible. I really hope im reading this wrong.

A firewall wont help at all in that case and critical is a very moderate rating indeed. Im very glad we havent upgraded to w2k8 yet.

Re:DoS flaw, really? (0)

Anonymous Coward | about 5 years ago | (#29359471)

A firewall wont help at all

Software firewalls typically operate just above the actual hardware drivers. They're able to filter packets before they ever get to the IP stack.

windows 2003 patch (1)

lakshman6 (1633861) | about 5 years ago | (#29359671)

so when can we expect a windows 2003 patch to come? anyone know the date?

Yep! (0)

Anonymous Coward | about 5 years ago | (#29360719)

Glad to see they hopped right on that!

And I should love proprietary software... WHY?

Oh yeah, because the competition pressures provide much more pressure to fix these kinds of things. NOT!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>