COMMAND

    CISCO

SYSTEMS AFFECTED

    Cisco Local Director

PROBLEM

    Bill Robbins found following.   If your Cisco local directors  are
    configured  to  do  all  port  mappings  (0:0)  and not port-bound
    virtuals (port-to-port  mappings), you  can easily  DOS the  local
    director  by  causing  the  "no  answer  reassign"  to surpass its
    default threshold counter of 8.

    By  port  scanning  a  0:0  VIP  where  the  real  servers are not
    listening  to  all  ports,  you  can  easily  cause the "no answer
    reassign" counter to  surpass the threshold  which takes the  real
    machine out of service.

    During non-peak times when the amount of valid connections  coming
    in  are  limited,  the  threshold  does  not reset itself in time.
    Once you have done this with all real servers in the VIP, the  VIP
    will be unresponsive.   You must reset the  VIP to make it  active
    again.  This could be a harmful DOS on larger sites that have  not
    configured their LDs correctly.

SOLUTION

    Bill has spoken to Cisco, they do relize the possibility of a DOS.
    They  recommend  that  people  use  port-bound virtuals, otherwise
    ensure that your VIPs  are firewalled in front  of the LD.   Cisco
    noted  they  did  not  see  any  special  notes regarding security
    implications  of  not  using  port-bound  virtuals in their latest
    documentation.