June 21, 2017

DOS Attack Protection to Reduce the Vulnerability from Cisco Switch


Data Centre Cisco Switch were found to have unresolved vulnerabilities. This vulnerability affects Cisco NX-OS Software on the following Cisco devices when they are configured for FCoE:

  1. Multilayer Director Switches,
  2. Nexus 7000 Series Switches,
  3. Nexus 7700 Series Switches.

More Information: CSCvc91729. Known Affected Releases: 8.3(0)CV(0.833). Known Fixed Releases: 8.3(0)ISH(0.62) 8.3(0)CV(0.944) 8.1(1) 8.1(0.8)S0 7.3(2)D1(0.47).


Photo by Tirza van Dijk on Unsplash


A vulnerability in the Fibre Channel over Ethernet (FCoE) protocol implementation in Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition when an FCoE-related process unexpectedly reloads.


This is a switch used for FCoE which provides some advantages. FCoE is highly reliable since the packet of data can arrive at the destination through fiber optics and it can reduce the number of network interface cards, cables and switches. Its vulnerability is coming from an absence of proper FCoE frame padding validation. An attacker could exploit this vulnerability by sending a stream of crafted FCoE frames to the targeted device. An exploit could allow the attacker to cause a DoS condition, which would impact FCoE traffic passing through the device. The attacker’s server must be directly connected to the FCoE interface on the device that is running Cisco NX-OS Software to exploit this vulnerability.




Photo by Start Stock Photos on



The series of switches with vulnerabilities to be exploited to create a favourable condition for DoS attacks are widely used in various organizations, industries and countries.



Photo by Glenn Carstens-Perers on Unsplash


Best Practice

The zone policies are suggested to be adopted in this case to lessen the threat of DoS due to vulnerabilities caused by the lack of the proper FCoE frame padding validation.


In conjunction with various devices like firewalls, routers and switches, not only does zoning segment divide your network into smaller controllable areas but it also control access and traffic to zones through the interfaces until access right is granted. The devices are pre-set to control the flow of traffic on the ingress interfaces from the source to the responding server.  The unwanted traffic can be filtered and even dropped before and after it enters a particular zone.


Specially assigned zone (L2, L3, external) assists in protecting the network from the traffic which is not allowed in a particular zone. For instance, you can allow the traffic entering from either an L2 interface to an L2 zone or from an L3 interface to an L3 zone, but not allow it from an L2 interface to an L3 zone. 

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.