Cisco routers are vulnerable to a Denial of Service attack caused by NMap (a popular Port Scanner) UDP scan.
The following systems are affected:
Cisco IOS (tm) 4000 Software (C4000-IK2S-M), Version 12.0(2)T, Cisco IOS (tm) 2500 Software (C2500-IOS56I-L), Version 12.0(2) and versions 11.3AA, 11.3DB.
Cisco routers with IOS software version 12.0 (including 12.0T, 12.0S, etc.) were found to be vulnerable to a Denial of Service attack. This Denial of Service attack is very easy to exploit, and can be done by simply "pointing" NMap's UDP scanner to the router's syslog port (UDP port 514).
This Denial of Service can be avoided by adding a rule to the access list that causes it to block incoming syslog traffic. You'd do this with something like this:
! Deny all multicasts to port 514
access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514
! Deny old-style broadcasts
access-list 101 deny udp any host 0.0.0.0 eq 514
! Deny network-specific broadcasts (*example*; depends on local netmasks)
access-list 101 deny udp any 192.31.7.255 eq 514
! Deny router's own addresses
access-list 101 deny udp any host eq 514
access-list 101 deny udp any host eq 514
access-list 101 deny udp any host eq 514
... etc ...
access-list 101 permit ip any any
interface
ip access-group 101 in
interface
ip access-group 101 in
... etc ...
The access list needs to block syslog traffic destined for any of the router's own IP addresses. It should be applied on all interfaces running IP, including virtual interfaces and sub interfaces (but not loopback interfaces).
