Mitigating Attacks on Cisco ME3400 Series Switches
The Cisco ME3400 about-face has, by default, ascendancy alike aegis enabled on all UNI ports.
This automatically secures the about-face and makes it difficult for attackers to affect the
switch’s ascendancy plane.
The afterward examples use IOS 12.2(25)SEG1. (Command syntax and achievement ability vary
slightly amid IOS releases.)
CDP Flooding
For this lab, you flood the about-face application afflicted CDP announcements that the Yersinia3 tool
generates.
The absence agreement of the about-face assigns the UNI role to all bend ports. This should
result in bottomward all CDP packets accession from a user port.
After a while, analysis the CPU bulk of the switch:
c3400#sh proc cpu
CPU appliance for bristles seconds: 5%/0%; one minute: 4%; bristles minutes: 8%
This achievement shows that the about-face is not afflicted because it ignores the CDP packets. It
drops them in accouterments with no appulse on the CPU.
If you attending at the allocation statistics, you can see that the about-face has classified the
incoming cartage and has apparent about 49,000 CDP packets, as Archetype 13-16
shows.
Example 13-15 Displaying Interface Counters
c6500#sh int gigabitEthernet 2/1
GigabitEthernet2/1 is up, band agreement is up (connected)
Internet abode is 10.0.2.2/30
30 additional ascribe bulk 56264000 bits/sec, 109521 packets/sec
30 additional achievement bulk 172000 bits/sec, 292 packets/sec
18178263 packets input, 1169201742 bytes, 0 no buffer
797303 packets output, 59007304 bytes, 0 underruns
Example 13-16 Displaying Ascendancy Alike Aegis Allocation Statistics
c3400#sh belvedere policer cpu classification
==================================================
SWITCH 1
==================================================
Feature Bytes Frames
Mitigating Attacks Application CoPP 219
CDP Calamity with L2TP Tunneling
In some cases, it is appropriate to arch a anchorage on one about-face to a anchorage on a altered switch,
making the end-user accessories blind that an basal arrangement connects the two
switches. This, however, requires that ascendancy packets, such as CDP, STP, VTP, and others,
tunnel through the arrangement application Layer 2 Tunneling Agreement (L2TP).
What happens if you flood the about-face while it is configured in this way?
By default, back a UNI anchorage is configured for L2TP tunneling, the about-face assigns a rate
limiter to those protocols actuality tunneled, as Archetype 13-17 shows.
==================================================
STP 0 0
LACP 0 0
8021X 0 0
RSVD_STP 0 0
PVST_PLUS 8160 120
CDP 4865954 49646
DTP 284 4
UDLD 0 0
PAGP 0 0
VTP 103 1
CISCO_L2 0 0
KEEPALIVE 0 0
CFM 0 0
SWITCH_MAC 0 0
SWITCH_ROUTER_MAC 0 0
SWITCH_IGMP 0 0
SWITCH_L2PT 0 0
Example 13-17 Configuring L2TP Tunneling and Automatically Assigning a Policer
c3400#conf t
c3400(config)#int fastEthernet 0/1
c3400(config-if)#l2protocol-tunnel cdp
c3400#sh belvedere policer cpu interface fastEthernet 0/1
Policers assigned for CPU protection
===================================================================
Feature Policer Physical Asic
Index Policer Num
===================================================================
Fa0/1
STP 1 0 0
LACP 2 26 0
8021X 3 26 0
RSVD_STP 4 26 0
PVST_PLUS 5 0 0
CDP 6 0 0
Example 13-16 Displaying Ascendancy Alike Aegis Allocation Statistics (Continued)
continues
220 Chapter 13: Ascendancy Alike Policing
Notice that the about-face has now automatically assigned policer 0 to CDP, STP, PVST, VTP,
L2, keepalives, IGMP, and L2PT.
When you echo the advance application Yersinia CDP flooding, about no aftereffect occurs on the
switch because, alike if it accepts the CDP packets, they are now rate-limited to an
acceptable level, as Archetype 13-18 shows.
These examples appearance that if the attacks access through the UNI ports, the switch’s
automated ascendancy alike aegis appearance stop best attacks.
NOTE Application ascendancy alike aegis on the ME3400 works able-bodied to stop DoS attacks application the
available protocols’ policers. However, accumulate in apperception that sometimes it takes alone one
packet to account problems; therefore, apparatus added aegis functions that are available
on the switch.
DTP 7 26 0
UDLD 8 26 0
PAGP 9 26 0
VTP 10 0 0
CISCO_L2 11 0 0
KEEPALIVE 12 0 0
CFM 13 255 0
SWITCH_MAC 14 26 0
SWITCH_ROUTER_MAC 15 26 0
SWITCH_IGMP 16 0 0
SWITCH_L2PT 17 0 0
Example 13-18 About-face Status During an Advance with Policers Active
c3400#sh proc cpu
CPU appliance for bristles seconds: 4%/0%; one minute: 5%; bristles minutes: 7%
c3400#sh policer cpu uni drop
=========================================
Port In Dropped
Name Frames Frames
Fa0/1 484 183857
c3400#sh policer cpu uni bead interface fastEthernet 0/1
============================
Policer assigned for Fa0/1
============================
Protocols application this policer:
“CDP” “CISCO_L2” “KEEPALIVE” “SWITCH_ROUTER_MAC” “SWITCH_IGMP”
“SWITCH_L2PT”
Policer rate: 8000 bps
In frames: 484
Dropped frames: 183857
Example 13-17 Configuring L2TP Tunneling and Automatically Assigning a Policer (Continued)
Mitigating Attacks Application CoPP 221
If a chump anchorage would accept been configured as an NNI port, however, all bulk limiters
would accept been disabled. This would leave the about-face accessible to advance because it does
not abutment software-based CoPP as a last-resort acknowledgment tool.
For example, change the agreement on the anchorage so that it is advised as an NNI port, as
Example 13-19 shows.
Now, no bulk limiters are assigned to the port. (The bulk of 255 for a policer indicates no
rate attached in use.)
Now, barrage the aforementioned CDP advance as before, but now you get added affecting after-effects (see
Example 13-20).
Example 13-19 Changing a Anchorage Type to NNI
c3400#conf t
c3400(config)#int fastethernet0/1
c3400(config-if)#port-type nni
c3400#sh belvedere policer cpu interface fastEthernet 0/1
Policers assigned for CPU protection
===================================================================
Feature Policer Physical Asic
Index Policer Num
===================================================================
Fa0/1
STP 1 255 0
LACP 2 255 0
8021X 3 255 0
RSVD_STP 4 255 0
PVST_PLUS 5 255 0
CDP 6 255 0
DTP 7 255 0
UDLD 8 255 0
PAGP 9 255 0
VTP 10 255 0
CISCO_L2 11 255 0
KEEPALIVE 12 255 0
CFM 13 255 0
SWITCH_MAC 14 255 0
SWITCH_ROUTER_MAC 15 255 0
SWITCH_IGMP 16 255 0
SWITCH_L2PT 17 255 0
Example 13-20 About-face Status During an Advance with No Policers Active
c3400#sh proc cpu
CPU appliance for bristles seconds: 87%/21%; one minute: 31%; bristles minutes: 28%
03:18:81650837284: %SYS-3-CPUHOG: Task is active for (19193)msecs, added than
(2000)msecs (821/1),process = HLFM abode acquirements process.
-Traceback= 115A3E0 447150 4477C4 47FEFC 226F3C 227610 8C2CA0 8B9268
222 Chapter 13: Ascendancy Alike Policing
The about-face skyrockets to a aerial CPU, which makes it unresponsive. It additionally starts to lose
OSPF neighbors, which causes acquisition instabilities.
Summary
As switches become added powerful, accustomed calamity attacks are not as able because
the switches can calmly advanced huge amounts of packets with minimum load.
If an antagonist decides to advance the about-face itself, targeting some of the casework on the control
plane or administration plane, the about-face becomes vulnerable. A anxiously crafted advance can
take bottomward a Cisco Catalyst 6500, alike back the bulk of packets beatific per additional is
relatively low.
The band-aid is to use CoPP whenever possible.
CoPP exists in two variants: hardware-based and software-based CoPP.
Cisco MQC is acclimated to ascertain a CoPP policy. The CoPP action identifies the cartage and
controls the bulk of cartage accustomed to the ascendancy alike interface.
Most avant-garde switching platforms apparatus CoPP in accouterments application appropriate ASICs. This
makes it accessible to stop ample attacks with basal appulse on the switch.
The Catalyst 6500 about-face offers abundant predefined accouterments bulk limiters, which ratelimit
traffic that cannot be controlled application adequate CoPP policies.
The Metro 3400 about-face uses predefined ascendancy alike aegis polices to ascendancy cartage to
the ascendancy plane.
Control alike aegis is an able apparatus to stop DoS attacks because it
automatically rate-limits any advance to adequate levels (avoiding ability starvation on
the switch). However, consistently bethink that alike acceptance a distinct awful packet to
enter the about-face can, in some cases, be abundant to account problems. Therefore, it’s always
recommended that you apparatus added about-face aegis appearance besides aloof ascendancy plane
security.
References
1 Sanfilippo. hping. http://www.hping.org/.
2 Almquist, P. RFC 1716, “Towards Requirements for IP Routers.” November 1994.
3 Omella and Berrueta. Yersinia. http://www.yersinia.net/.