I have seen attempts to exploit the recently-announced cisco vuln on a router of my acquaintance in Auckland, starting early this morning NZST. This confirms the notes on nanog (and in the updated cisco advisory) about functional exploits being published and used in the wild. The source addresses appear spoofed, and so far all of the hits have been received from outside NZ. The address "x.x.x.114" (see below) isn't in use on a router or anywhere else. Presumably the k1dd13z will realise at some point that there is more dead air on the Internet than ciscos, and will start harvesting victim addresses from traceroute instead of choosing them randomly. Is anybody contemplating customer-facing filters which block protocols 53, 54, 77 and 103? Jul 19 01:26:52 router 3587: Jul 19 01:22:37 NZST: %SEC-6-IPACCESSLOGNP: list 127 denied 54 216.191.222.139 (FastEthernet0/1.500 0002.xxxx.xxxx) -> x.x.x.164, 1 packet Jul 19 01:38:27 router 5320: Jul 19 01:34:12 NZST: %SEC-6-IPACCESSLOGNP: list 127 denied 53 245.128.83.9 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet Jul 19 01:38:27 router 5321: Jul 19 01:34:13 NZST: %SEC-6-IPACCESSLOGRP: list 127 denied pim 216.225.202.10 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet Jul 19 01:41:38 router 5327: .Jul 19 01:37:23 NZST: %SEC-6-IPACCESSLOGNP: list 127 denied 77 157.160.104.37 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet Jul 19 01:42:02 router 5331: .Jul 19 01:37:47 NZST: %SEC-6-IPACCESSLOGNP: list 127 denied 55 222.21.158.112 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet Jul 19 01:46:06 router 5343: .Jul 19 01:41:51 NZST: %SEC-6-IPACCESSLOGNP: list 127 denied 55 221.44.200.77 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet Jul 19 01:46:06 router 5344: .Jul 19 01:41:51 NZST: %SEC-6-IPACCESSLOGRP: list 127 denied pim 148.246.222.60 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet Jul 19 01:48:25 router 5347: .Jul 19 01:44:10 NZST: %SEC-6-IPACCESSLOGNP: list 127 denied 55 159.136.236.96 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet Jul 19 01:48:25 router 5348: .Jul 19 01:44:10 NZST: %SEC-6-IPACCESSLOGRP: list 127 denied pim 151.142.170.98 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet Jul 19 01:51:02 router 5353: Jul 19 01:46:48 NZST: %SEC-6-IPACCESSLOGNP: list 127 denied 53 172.75.88.52 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet Jul 19 01:51:02 router 5354: Jul 19 01:46:48 NZST: %SEC-6-IPACCESSLOGRP: list 127 denied pim 146.95.71.5 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet Jul 19 01:52:17 router 5359: Jul 19 01:48:02 NZST: %SEC-6-IPACCESSLOGNP: list 127 denied 53 252.40.243.114 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet Jul 19 01:52:17 router 5360: Jul 19 01:48:02 NZST: %SEC-6-IPACCESSLOGRP: list 127 denied pim 151.94.44.88 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet Jul 19 01:52:35 router 5362: Jul 19 01:48:20 NZST: %SEC-6-IPACCESSLOGNP: list 127 denied 53 24.17.251.39 (Serial2/2.1 DLCI xxx) -> x.x.x.114, 1 packet