This Dokument shows how to protect a Cisco IOS 12.3(T) Router with Control-Plane-Policing (CPP) against high load caused by an attack.<\/p>\n
The Situation<\/strong> The Result<\/strong> The Solution (one of many possible)<\/strong> First we define the traffic to police:<\/p>\n Then, the class-map and policy-map is defined:<\/p>\n Last, the policy-map is applied to the control-plane:<\/p>\n The complete configuration for this example:<\/p>\n The (new) Result<\/strong> The Management-Station can still ping:<\/p>\n And the load of the attacked router is reduced again (without the management-station pinging):<\/p>\n To verify that the policy is working:<\/p>\n What to do next?<\/strong> This Dokument shows how to protect a Cisco IOS 12.3(T) Router with Control-Plane-Policing (CPP) against high load caused by an attack.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[5],"tags":[162,307,358],"class_list":["post-35","post","type-post","status-publish","format-standard","hentry","category-cisco","tag-control-plane","tag-ios","tag-konfiguration"],"_links":{"self":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/35","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/comments?post=35"}],"version-history":[{"count":0,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/35\/revisions"}],"wp:attachment":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media?parent=35"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/categories?post=35"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/tags?post=35"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nOur router (a Cisco 1841) is under a \u201cheavy\u201d icmp-attack:<\/p>\n\n
\nC:Documents and SettingsAdministrator>ping -t -l 17500 10.0.2.2\nReply from 10.0.2.2: bytes=17500 time<10ms TTL=255\nReply from 10.0.2.2: bytes=17500 time<10ms TTL=255\nReply from 10.0.2.2: bytes=17500 time<10ms TTL=255\n<\/code><\/pre>\n\nR1#ping 10.0.2.2 size 1000 repeat 10000\n\nType escape sequence to abort.\nSending 10000, 1000-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n<\/code><\/pre>\n<\/ul>\n
\nThe Router has a relative high load:<\/p>\n\nRouter#show processes cpu sorted 1min\nCPU utilization for five seconds: 64%\/29%; one minute: 34%; five minutes: 22%\n PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process\n 60 84384 242214 348 35.03% 18.76% 11.92% 0 IP Input\n<\/code><\/pre>\n
\nConfiguration of Control-Plane-Policing:<\/p>\n\n
\n
\nRouter(config)#ip access-list extended icmp-traffic\nRouter(config-ext-nacl)#remark Host 10.0.2.11 is the Management-Station\nRouter(config-ext-nacl)#deny icmp host 10.0.2.11 any\nRouter(config-ext-nacl)#permit icmp any any\n<\/code><\/pre>\n\nRouter(config)#class-map icmp-class\nRouter(config-cmap)#match access-group name icmp-traffic\nRouter(config-cmap)#exit\nRouter(config)#policy-map cpp\nRouter(config-pmap)#class icmp-class\nRouter(config-pmap-c)#police 16000 conform-action transmit exceed-action drop\nRouter(config-pmap-c)#exit\nRouter(config-pmap)#exit\nRouter(config)#\n<\/code><\/pre>\n\nRouter(config)# control-plane\nRouter(config-cp)# service-policy input cpp\n<\/code><\/pre>\n\nclass-map match-all icmp-class\n match access-group name icmp-traffic\n!\npolicy-map cpp\n class icmp-class\n police 16000 conform-action transmit exceed-action drop\n!\nip access-list extended icmp-traffic\n remark Host 10.0.2.11 is the Management-Station\n deny icmp host 10.0.2.11 any\n permit icmp any any\n!\ncontrol-plane\n service-policy input cpp\n<\/code><\/pre>\n
\nThe two \u201cattacking\u201d Routers are policed:<\/p>\n\nR4#ping 10.0.2.2 size 1000 repeat 10000\n\nType escape sequence to abort.\nSending 10000, 1000-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:\n!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.\n!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.\n!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!\n\nR3#ping 10.0.2.2 size 1000 repeat 1000000\n\nType escape sequence to abort.\nSending 1000000, 1000-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:\n!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.\n!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.\n!.!.!.!.!.!.!.!.!..!.!.!..!.!.!..!.!.!..!.!.!\n<\/code><\/pre>\n\nR1#ping 10.0.2.2 size 1000 repeat 10000\n\nType escape sequence to abort.\nSending 1000000, 1000-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n<\/code><\/pre>\n\nRouter#show processes cpu sorted 1min\nCPU utilization for five seconds: 0%\/0%; one minute: 0%; five minutes: 1%\n PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process\n 60 152940 436711 350 0.07% 0.40% 0.55% 0 IP Input\n<\/code><\/pre>\n\nRouter#show policy-map control-plane\n Control Plane\n\n Service-policy input: cpp\n\n Class-map: icmp-class (match-all)\n 13234 packets, 11814448 bytes\n 5 minute offered rate 205000 bps, drop rate 193000 bps\n Match: access-group name icmp-traffic\n police:\n cir 16000 bps, bc 1500 bytes\n conformed 5003 packets, 1698758 bytes; actions:\n transmit\n exceeded 8231 packets, 10115690 bytes; actions:\n drop\n conformed 16000 bps, exceed 193000 bps\n\n Class-map: class-default (match-any)\n 216824 packets, 218560940 bytes\n 5 minute offered rate 43000 bps, drop rate 0 bps\n Match: any\n<\/code><\/pre>\n
\nAt the moment only ICMP is policed. But what kind of traffic do we expect? Also think about:<\/p>\n\n