The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

An XCCDF Rule

Description

<VulnDiscussion>The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages. A DoS attack targeting the RP can result in excessive CPU and memory utilization. To maintain network stability and RP security, the router must be able to handle specific control plane and management plane traffic that is destined to the RP. In the past, one method of filtering was to use ingress filters on forwarding interfaces to filter both forwarding path and receiving path traffic, as well as limiting traffic destined to the device. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grows. Control plane policing increases the security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks, allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-220428r929049_rule
Severity: High
References: CCI-001097 CCI-002385
Updated: 8 months ago

Configure the Cisco switch to protect against known types of DoS attacks on the route processor. Implementing a CoPP policy as shown in the example below is a best practice method: 

Step 1: Configure ACL specific traffic types. 

SW1(config)#ip access-list extended CoPP_CRITICAL 
SW1(config-ext-nacl)#remark our control plane adjacencies are critical SW1(config-ext-nacl)#permit ospf host x.x.x.x any 
SW1(config-ext-nacl)#permit ospf host x.x.x.x any 
SW1(config-ext-nacl)#permit pim host x.x.x.x any 
SW1(config-ext-nacl)#permit pim host x.x.x.x any 
SW1(config-ext-nacl)#permit igmp any 224.0.0.0 15.255.255.255 
SW1(config-ext-nacl)#deny ip any any 
SW1(config-ext-nacl)#exit 

SW1(config)#ip access-list extended CoPP_IMPORTANT 
SW1(config-ext-nacl)#permit tcp host x.x.x.x eq tacacs any 
SW1(config-ext-nacl)#permit tcp x.x.x.x 0.0.0.255 any eq 22 
SW1(config-ext-nacl)#permit udp host x.x.x.x any eq snmp 
SW1(config-ext-nacl)#permit udp host x.x.x.x eq ntp any 
SW1(config-ext-nacl)#deny ip any any 
SW1(config-ext-nacl)#exit 

SW1(config)#ip access-list extended CoPP_NORMAL 
SW1(config-ext-nacl)#remark we will want to rate limit ICMP traffic 
SW1(config-ext-nacl)#deny icmp any host x.x.x.x fragments
 SW1(config-ext-nacl)#permit icmp any any echo 
SW1(config-ext-nacl)#permit icmp any any echo-reply 
SW1(config-ext-nacl)#permit icmp any any time-exceeded 
SW1(config-ext-nacl)#permit icmp any any unreachable 
SW1(config-ext-nacl)#deny ip any any 
SW1(config-ext-nacl)#exit 

SW1(config)#ip access-list extended CoPP_UNDESIRABLE 
SW1(config-ext-nacl)#remark management plane traffic that should not be received 
SW1(config-ext-nacl)#permit udp any any eq ntp 
SW1(config-ext-nacl)#permit udp any any eq snmp 
SW1(config-ext-nacl)#permit tcp any any eq 22 
SW1(config-ext-nacl)#permit tcp any any eq 23 
SW1(config-ext-nacl)#remark control plane traffic not configured on switch 
SW1(config-ext-nacl)#permit eigrp any any 
SW1(config-ext-nacl)#permit udp any any eq rip 
SW1(config-ext-nacl)#deny ip any any 
SW1(config-ext-nacl)#exit 
SW1(config)#ip access-list extended CoPP_DEFAULT 
SW1(config-ext-nacl)#permit ip any any 
SW1(config-ext-nacl)#exit 

Step 2: Configure class-maps referencing each of the ACLs. 

SW1(config)#class-map match-all CoPP_CRITICAL 
SW1(config-cmap)#match access-group name CoPP_CRITICAL 
SW1(config-cmap)#class-map match-any CoPP_IMPORTANT 
SW1(config-cmap)#match access-group name CoPP_IMPORTANT 
SW1(config-cmap)#match protocol arp 
SW1(config-cmap)#class-map match-all CoPP_NORMAL 
SW1(config-cmap)#match access-group name CoPP_NORMAL 
SW1(config-cmap)#class-map match-any CoPP_UNDESIRABLE 
SW1(config-cmap)#match access-group name CoPP_UNDESIRABLE 
SW1(config-cmap)#class-map match-all CoPP_DEFAULT 
SW1(config-cmap)#match access-group name CoPP_DEFAULT 
SW1(config-cmap)#exit 

Step 3: Configure a policy-map referencing the configured class-maps and apply appropriate bandwidth allowance and policing attributes. 

SW1(config)#policy-map CONTROL_PLANE_POLICY 
SW1(config-pmap)#class CoPP_CRITICAL 
SW1(config-pmap-c)#police 512000 8000 conform-action transmit exceed-action transmit 
SW1(config-pmap-c-police)#class CoPP_IMPORTANT 
SW1(config-pmap-c)#police 256000 4000 conform-action transmit exceed-action drop 
SW1(config-pmap-c-police)#class CoPP_NORMAL 
SW1(config-pmap-c)#police 128000 2000 conform-action transmit exceed-action drop 
SW1(config-pmap-c-police)#class CoPP_UNDESIRABLE 
SW1(config-pmap-c)#police 8000 1000 conform-action drop exceed-action drop 
SW1(config-pmap-c-police)#class CoPP_DEFAULT 
SW1(config-pmap-c)#police 64000 1000 conform-action transmit exceed-action drop 
SW1(config-pmap-c-police)#exit 
SW1(config-pmap-c)#exit 
SW1(config-pmap)#exit 

Step 4: Apply the policy-map to the control plane. 

SW1(config)#control-plane 
SW1(config-cp)#service-policy input CONTROL_PLANE_POLICY 
SW1(config-cp)#end

The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

Description

Remediation - Manual Procedure