Mitigating Attacks Application CoPP
To authenticate how CoPP can abate attacks, abundant Linux-based aegis analysis
tools apish attacks adjoin two altered switching platforms, a Cisco Catalyst 6500
switch and a Cisco ME3400 Series switch:
• Cisco Catalyst 6500 about-face with the Sup720 Administrator engine. This high-end
platform offers accouterments and software-based CoPP application a broadcast switching
architecture.
• Cisco ME3400 Series switches. This admission about-face is advised for the Metro
Ethernet bazaar and accouterments ascendancy even aegis to defended the ascendancy plane. It
does not accept any software-based CoPP capabilities.
Mitigating Attacks on the Catalyst 6500 Switch
The 6500 Series about-face is a modular platform, which makes it accessible to advancement band cards
and admiral as necessary. Application the Sup720 or the Sup32 supervisors, it is accessible to
implement hardware-based CoPP appearance to assure the axial CPU. Also, if the band cards
support broadcast forwarding, hardware-based CoPP is automatically implemented on the
line cards, mitigating attacks as abutting to the bend as possible.
By default, however, about all the CoPP appearance are disabled and charge be configured to
mitigate attacks.
The afterward examples use IOS 12.2(18)SXF. (Command syntax and achievement ability vary
slightly amid IOS releases.)
Telnet Calamity After CoPP
To authenticate what can appear aback a Catalyst 6500 is attacked after CoPP enabled,
a calamity advance adjoin TCP anchorage 23 (Telnet) was started application the hping31 utility.
Running on an boilerplate PC belvedere application SuSe Linux, the hping3 account generated about
110,000 pps, which would not be a botheration for the 6500 in accustomed situations.
conformed 10900 packets, 1079262 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
conformed 1000 bps, beat 0 bps
Example 13-10 Displaying the Status of CoPP (Catalyst 6500 Running IOS 12.2(18)SXF) (Continued)
212 Chapter 13: Ascendancy Even Policing
However, because Telnet packets are destined to the administration plane, they are forwarded
directly to the axial CPU area they are processed. In this case, the CPU responds to the
flood of accession TCP SYN packets, which gives it little time to accomplish added tasks.
After a abbreviate time, the CPU bulk increases from its boilerplate 1 percent bulk to maximum
load:
c6500#sh proc cpu
CPU appliance for bristles seconds: 98%/41%; one minute: 94%; bristles minutes: 60%
At the aforementioned time, the OSPF action starts to lose acquaintance with its OSPF neighbors because
no CPU cycles are accessible to action the admission keepalives from the neighbors:
3w1d: %OSPF-5-ADJCHG: Action 64, Nbr 194.19.92.130 on Vlan254 from FULL to DOWN,
Neighbor Down: Dead timer expired
3w1d: %OSPF-5-ADJCHG: Action 64, Nbr 192.168.10.10 on Vlan10 from FULL to DOWN,
Neighbor Down: Dead timer expired
3w1d: %OSPF-5-ADJCHG: Action 64, Nbr 192.168.10.10 on Vlan10 from LOADING to FULL,
Loading Done
Because this about-face is the capital acquisition belvedere in the lab, all connectivity goes bottomward for
about 30 seconds, which after-effects in the disruption of all arrangement services.
In a absolute assembly environment, this advance could accept acquired adverse after-effects as
with instabilities in acquisition protocols—all IP cartage stops. However, a acceptable architecture would
contain bombastic 6500s, which would aftereffect in basal appulse if one about-face goes down.
But if the antagonist is able to advance one switch, would it be such a big botheration to additionally attack
the added switch?
Telnet Calamity with CoPP
Numerous alternatives abide to assure adjoin attacks on the administration plane.
One advantage is to ensure that alone cartage from prevalidated IP addresses is accustomed (only
allow packets from the administration network).
A additional advantage is to apparatus a CoPP action to assure the casework on the management
plane.
In this example, a simple CoPP action is created to assure Telnet (TCP anchorage 23) and SSH
(TCP anchorage 22).
First, actualize an admission account that specifies the cartage we appetite to inspect:
access-list 170 admittance tcp any any eq 22
access-list 170 admittance tcp any any eq telnet
Then, actualize a chic map for this traffic:
class-map match-all Mgmt
match access-group 170
Mitigating Attacks Application CoPP 213
Then, actualize a action map that specifies you appetite to rate-limit all cartage that matches class
map Mgmt to 32,000 $.25 per additional (bps):
policy-map CoPP
class Mgmt
police cir 32000 bc 1500 be 1500 conform-action abode exceed-action drop
class class-default
In this example, you do not specify any bulk absolute for added cartage (class-default), which
actually leaves openings for added attacks adjoin the ascendancy plane/management plane.
Using the alignment explained earlier, you charge to allocate aggregate you apperceive about
and afresh rate-limit what you don’t apperceive about to safe values.
Then, attach the action map to the ascendancy plane:
control-plane
service-policy ascribe CoPP
To analysis this, alpha your Telnet calamity advance again. After a abbreviate while, the CPU bulk goes
from 0 percent to 79 percent!
c6500#sh proc cpu
CPU appliance for bristles seconds: 79%/73%; one minute: 56%; bristles minutes: 18%
Chances are, however, that you are no best seeing any OSPF flapping, but this is not the
result you ability accept expected. Attractive at the statistics for the action map on the control
plane interface, you see the afterward achievement (see Archetype 13-11).
Example 13-11 Displaying the Status of CoPP
c6500#sh policy-map control-plane
control even Interface
Service-policy input: CoPP
Hardware Counters:
class-map: Mgmt (match-all)
Match: access-group 170
police :
32000 bps 1000 absolute 1000 continued limit
Software Counters:
Class-map: Mgmt (match-all)
1502937 packets, 96187968 bytes
5 minute offered bulk 2375000 bps, bead bulk 2256000 bps
Match: access-group 170
police:
cir 32000 bps, bc 1500 bytes
conformed 4347 packets, 278208 bytes; action: transmit
exceeded packets, 95912448 bytes; action: drop
conformed 14000 bps, beat 2370000 bps
214 Chapter 13: Ascendancy Even Policing
Looking at the software counters, affairs are that you see aerial ethics for the Mgmt class
map and lots of drops. However, the ethics for the accouterments counters are not displayed.
Why not?
As ahead explained, it is appropriate to actuate MLS QoS afore any hardware
acceleration takes place:
c6500(config)#mls qos
Looking at the CPU load, you see that it has now gone bottomward to its accustomed abandoned load:
c6500#sh proc cpu
CPU appliance for bristles seconds: 0%/0%; one minute: 1%; bristles minutes: 2%
Looking at the policy-map statistics for the ascendancy plane, you see that the accouterments CoPP
is now active, as Archetype 13-12 shows.
Example 13-12 Displaying CoPP Status
c6500#sh policy-map control-plane
control even Interface
Service-policy input: CoPP
Hardware Counters:
class-map: Mgmt (match-all)
Match: access-group 170
police :
32000 bps 1000 absolute 1000 continued limit
Earl in aperture 5 :
1245535600 bytes
5 minute offered bulk 11173896 bps
aggregate-forwarded 3368992 bytes action: transmit
exceeded 1242166608 bytes action: drop
aggregate-forward 32040 bps beat 11881608 bps
Software Counters:
Class-map: Mgmt (match-all)
49751 packets, 3184064 bytes
5 minute offered bulk 30000 bps, bead bulk 0 bps
Match: access-group 170
police:
cir 32000 bps, bc 1500 bytes
conformed 49783 packets, 3186112 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
conformed 30000 bps, beat 0 bps
Class-map: class-default (match-any)
1199 packets, 161889 bytes
5 minute offered bulk 1000 bps, bead bulk 0 bps
Match: any
Mitigating Attacks Application CoPP 215
On band agenda 5, which is the administrator band card, there has been abounding drops, but the traffic
forwarded to the axial CPU is 32,040 bps, which is abutting to the bulk of 32,000, which
you already configured.
Looking at the software counters, you see that no packets accept been dropped. This is correct
behavior if all the advance cartage comes through one band card.
If two attackers had been affiliated to two band cards, anniversary band agenda would accept ratelimited
the advance on anniversary agenda bottomward to 32,000 bps. However, the sum of the cartage hitting
the software CoPP would accept been about 64,000 bps. This would accept been rate-limited
to 32,000 bps application software CoPP (which is done by the axial CPU), but the CPU impact
would accept been minimal.
TTL Accomplishment Attack
When a packet expires on a acquisition belvedere because its TTL alcove 0, it is appropriate to
send an ICMP TTL Exceeded bulletin aback to the sender (RFC 17162).
This functionality can, however, be misused. If an antagonist sends a flood of packets with the
TTL bulk set such that the packets expire on the switch, the about-face is affected to accomplish a
large bulk of ICMP TTL Exceeded messages. This causes a aerial CPU load.
Regarding TTL accomplishment attacks, what is absolutely adverse is that an antagonist can be any number
of hops abroad from the target. As continued as the TTL bulk is set to N–1 (where N is the number
of hops to the destination IP address), the packet has TTL=1 aback it alcove the switch.
The about-face sees that the packet has TTL=1, and forwarding it to the destination would result
in TTL=0. Therefore, it drops the packet and generates an ICMP TTL Exceeded message
to the sender. Figure 13-6 shows an archetype of a TTL accomplishment attack.
Figure 13-6 TTL Accomplishment Attack
As Figure 13-6 shows, the TTL accomplishment advance happens as follows:
1 The antagonist sends a flood of TTL=2 packets with a destination IP of a accessory behind
the target.
Target
Destination
TTL=2 TTL=1
ICMP TTL Exceeded
216 Chapter 13: Ascendancy Even Policing
2 The aboriginal router assiduously the packets and reduces TTL by one.
3 The ambition receives the packets and drops them because forwarding them to the
destination reduces TTL to 0. It additionally generates ICMP TTL Exceeded packets aback to
the sender.
4 If the bulk of packets accustomed is aerial enough, the ambition becomes active processing
the TTL asleep packets and can become Instable.
What happens aback you flood a 6500 with crafted TTL values? In the afterward lab, an
attacker is one hop abroad from the switch, but a router is on the added ancillary of the about-face that
you use as the destination abode of your packets. If you accelerate a packet with TTL=2, it has
TTL=1 aback it enters the switch. This after-effects in its actuality dropped, and an ICMP TTL
Exceeded packet is generated.
Using hping to accomplish the attack, aboriginal verify that you get an ICMP TTL Exceeded packet
back from the 6500 aback you set TTL=2:
hping 10.0.2.6 -t 2
HPING 10.0.2.6 (eth4 10.0.2.6): NO FLAGS are set, 40 headers + 0 abstracts bytes
TTL 0 during alteration from ip=10.0.2.2 name=UNKNOWN
Notice that you accustomed the ICMP packet from 10.0.2.2, which is the IP abode of the
input interface on the 6500.
We now alpha the flood attack:
hping3 10.0.2.6 -t 2 --flood
Almost immediately, the CPU bulk on the 6500 goes through the roof, and OSPF starts
having issues:
c6500#sh proc cpu
CPU appliance for bristles seconds: 99%/52%; one minute: 43%; bristles minutes: 18%
*Jan 15 09:50:02: %OSPF-5-ADJCHG: Action 1, Nbr 10.10.10.1 on GigabitEthernet2/1
from FULL to DOWN, Acquaintance Down: Dead timer expired
A abbreviate time later, BGP additionally starts accepting issues:
*Jan 15 12:58:13: %BGP-5-ADJCHANGE: acquaintance 10.10.10.1 Bottomward BGP Notification sent
*Jan 15 12:58:13: %BGP-3-NOTIFICATION: beatific to acquaintance 10.10.10.1 4/0 (hold time
expired) 0 bytes
When attractive at the interface counters, apprehension that you are accepting about 85,000 pps. Also
notice that you are breeding about 6700 pps, best of which are ICMP TTL Exceeded
packets, as Archetype 13-13 shows.
Example 13-13 Displaying the Interface Counters
c6500#sh int gigabitEthernet 2/1
GigabitEthernet2/1 is up, band agreement is up (connected)
Internet abode is 10.0.2.2/30
Mitigating Attacks Application CoPP 217
This blazon of advance cannot be mitigated application CoPP on the 6500, because it is not possible
to bout TTL ethics application ACLs or bout commands in chic maps.
However, the congenital accouterments bulk limiters can rate-limit packets that would expire on the
switch itself.
You can configure the TTL bulk limiter to canyon 10 pps to the axial CPU:
c6500(config)#mls rate-limit all ttl-failure 10
Immediately, the CPU bulk on the about-face avalanche to 0 percent:
c6500#sh proc cpu
CPU appliance for bristles seconds: 0%/0%; one minute: 40%; bristles minutes: 30%
By attractive at the MLS statistics, apprehension that you are accepting a aerial cardinal of TTL errors.
This is constant with the advance you are generating, as Archetype 13-14 shows.
30 additional ascribe bulk 42650000 bits/sec, 82825 packets/sec
30 additional achievement bulk 3973000 bits/sec, 6710 packets/sec
7383429 packets input, 474779717 bytes, 0 no buffer
618440 packets output, 45768110 bytes, 0 underruns
Example 13-14 Displaying MLS Statistics
c6500#sh mls statistics
Statistics for Earl in Module 5
L2 Forwarding Engine
Total packets Switched : 64558040
L3 Forwarding Engine
Total packets L3 Switched : 42056495 @ 228297 pps
Total Packets Bridged : 24096196
Total Packets FIB Switched : 4091
Total Packets ACL Routed : 0
Total Packets Netflow Switched : 0
Total Mcast Packets Switched/Routed : 219
Total ip packets with TOS afflicted : 797173
Total ip packets with COS afflicted : 0
Total non ip packets COS afflicted : 0
Total packets alone by ACL : 0
Total packets alone by Policing : 0
Total packets beyond CIR : 0
Total packets beyond PIR : 0
Errors
MAC/IP breadth inconsistencies : 0
Short IP packets accustomed : 0
IP attack checksum errors : 0
TTL failures : 17949839
MTU failures : 0
Total packets L3 Switched by all Modules: 42056495 @ 228297 pps
Example 13-13 Displaying the Interface Counters (Continued)
218 Chapter 13: Ascendancy Even Policing
By attractive at the interface counters, you are still accepting a aerial cardinal of ascribe packets,
but the cardinal of packets that the about-face generates has been bargain dramatically, as
Example 13-15 shows.
Displaying Interface Counters
c6500#sh int gigabitEthernet 2/1
GigabitEthernet2/1 is up, band agreement is up (connected)
Internet abode is 10.0.2.2/30
30 additional ascribe bulk 56264000 bits/sec, 109521 packets/sec
30 additional achievement bulk 172000 bits/sec, 292 packets/sec
18178263 packets input, 1169201742 bytes, 0 no buffer
797303 packets output, 59007304 bytes, 0 underruns