Of the three chosen exploits, the one involving SNMP gave our IPS vendors the most trouble, though we ran into problems with all three of them on some devices.

The SNMP exploit is a simple one. Many versions of Cisco IOS, from 12.0 through 12.3, will reboot when a valid SNMP message, such as a GET or SET, is sent to a destination port expecting an unsolicited message, such as a TRAP.

For example, a GET query normally goes to UDP destination port 161. If an attacker instead sends a perfectly well-formed SNMP query to port 162 (the TRAP port), vulnerable versions of IOS will reboot. Because reboot time on some devices runs into the minutes, even an attack at a very low rate could keep a vulnerable router, switch or access point off the network.

Cisco announced and patched the vulnerability in May 2004. Considering the exploit’s age and high profile, we expected all IPS systems to detect and block it without incident. To make sure that our ThreatEx tool was firing a valid attack, we tracked down a vulnerable version of IOS, loaded it up on a Cisco router and proceeded to crash it repeatedly.

Only the TippingPoint 5000E spotted the exploit in initial testing. The other five all missed it. In several cases, vendors asked us for a traffic capture, so they could write a signature.