On April 13th, 2015, Cisco PSIRT was made aware of multiple instances of customer disruption in a specific region caused by a denial of service attack against Cisco devices. We responded quickly to support speedy restoration for our customers.
Our ongoing investigation has shown that the storage of some Cisco devices was erased, removing both the Cisco IOS and device configuration from the non-volatile RAM. Once rebooted, these devices became non-operational, affecting connectivity to the global Internet.
Cisco PSIRT, together with other internal Cisco teams, responded to support affected customers, review configuration backups of affected devices, and to analyze all available log files and Netflow information.
At this time, we have seen a common element across all inspected devices: a combination of weak credentials and a lack of device hardening. There has been no evidence of a Cisco bug or vulnerability being exploited. Should this situation change and we discover the use of a vulnerability, Cisco will disclose in accordance with our Security Vulnerability Policy.
In today’s world, any device connected to a network will sooner or later be probed for weaknesses. And any weaknesses found will be exploited. Our advice to customers is to review their device configurations, ensure security features are enabled, and improve their ability to resist attack with the following steps:
- Review the links below on device hardening to learn about and enable available security features
- Commit to logging and monitoring suspicious activity, so that malicious activity, such as brute-force probing, can be detected early
The best current practices for device hardening and monitoring can be found at the following links:
- Cisco Guide to Harden Cisco IOS Devices – this document also covers Cisco IOS XE devices
- Cisco Guide to Harden Cisco IOS XR Devices
- Cisco Guide to Securing Cisco NX-OS Software
We believe those familiar with configuring Cisco devices for normal network operation should be able to implement these best practices with limited effort. Customers with third-party support agreements are encouraged to contact their service providers for assistance in securing their devices.
We also recommend keeping across the latest security and patching advice by subscribing to and reviewing Cisco Security Advisories. For more information, or to subscribe to receive Cisco Security advisories, please review Cisco’s Security Vulnerability Policy.
Information about currently known vulnerabilities affecting Cisco devices can be found at the Cisco Security Advisories, Responses, and Alerts page.
Cisco remains committed to the security of all Cisco customers and the Internet community at large. Cisco PSIRT is available to help customers, should the need arise, when faced with issues similar to those recently reported. If you have any information that may assist with this investigation, please contact Cisco PSIRT at firstname.lastname@example.org.