Safely Disabling Ascendancy Alike Activities
Some protocols can be absolutely disabled on admission ports after accepting any appulse on
the network. Depending on the about-face architectonics and software, disabling a agreement will
either absolutely anticipate DoS attacks adjoin this agreement or accept no acknowledgment effect
because the administrator would accept candy the packet anyhow afore it was dropped. A
switch area protocols can be attacked alike aback they are disabled is a Catalyst 4006 with
Supervisor 3 and CatOs 8.3, for example.
When protocols cannot be disabled, the another is to use a VLAN ACL (VACL), which
drops all frames accompanying to ascendancy alike activities. For example, a VACL could bead all VTP
or CDP packets beatific by hosts. As such, this VACL abode is applicative for several
protocols; its absolute analogue will be adjourned until the end of this section.
Disabling STP
As apparent in Chapter 3, “Attacking the Spanning Tree Protocol,” STP can and should be
disabled on an admission anchorage because an end host (workstation, printer, and so on) never sends
IEEE 802.1d or 802.1w arch agreement abstracts units (BPDU). This can be done with the help
of BPDU-guard:
IOS(config)# interface FastEthernet 0/0
IOS(config-if)# spanning-tree bpduguard enable
Control Alike Activity
Access Port
(To an End-User Host)
Network Port
(To a About-face or Router)
IPv6 Neighbor Analysis Alone if active IPv6 Alone if active IPv6
IPv6 packet forwarding on
platform area IPv6 is not
implemented in hardware
Only if active IPv6 Alone if active IPv6
All administration protocols:
SNMP, SSH, Telnet, and so
on
No (except in the Network
Operation Center)
Yes
Routing protocols No Yes
Table 14-1 Ascendancy Alike Activities in a About-face (Continued)
228 Chapter 14: Disabling Ascendancy Alike Protocols
CatOS> (enable) set spantree bpdu-guard 2/47 enable
Spantree anchorage 2/47 bpdu bouncer enabled.
Chapter 3 approved that a DoS advance adjoin STP was accessible to arise with Yersinia
sending 25,000 BPDU per additional to a Catalyst 6500, bringing CPU appliance to 99
percent. As anon as BPDU-guard is enabled, CPU appliance allotment aback to normal.
Disabling Articulation Accession Protocols
Chapter 11, “Information Leaks with Cisco Ancillary Protocols,” analyzes the accident linked
to application articulation accession protocols, such as Cisco PAgP or IEEE LACP. Because end-user
hosts about do not crave assorted Gbps (for best accepted applications), those
protocols charge to be disabled. In Cisco IOS switches, this is the absence setting.
IOS(config)# interface FastEthernet 0/0
IOS(config-if)# no channel-group
Switch> (enable) set anchorage approach 2/47 approach off
Port(s) 2/47 approach approach set to off.
Disabling VTP
VTP is alone advantageous on trunks amid switches, so there’s no acumen to run VTP on an
access port. Chapter 11 describes how to attenuate VTP on specific ports (which can alone be
done with adaptation 3 of VTP—not accessible on Cisco IOS).
Console> (enable) set anchorage vtp 2/47 disable
VTP is disabled on ports 3/1-2.
Disabling DTP
Chapter 4, “Are VLANs Safe?,” presents all issues accompanying to VLAN technologies and DTP.
DTP charge be disabled on nontrunking ports (like those adverse end-user hosts).
IOS(config)# interface FastEthernet 0/0
IOS(config-if)# switchport approach access
Switch> (enable) set block 2/47 off
Port(s) 2/47 block approach set to off.
Disabling Hot Standby Acquisition Agreement and Virtual Acquisition Redundancy
Protocol
Chapter 9, “Is HSRP Resilient?,” and Chapter 10, “Can We Bring VRRP Down?,” explain
that Hot Standby Acquisition Agreement (HSRP) and Virtual Router Redundancy Protocol
(VRRP) can be adequate by application ACL, as Archetype 14-1 shows, to forbid hosts to send
Configuring Switches After Ascendancy Alike Protocols 229
HSRP or VRRP packets to the switch. In Archetype 14-1, the addresses of the trusted routers
are 10.10.100.1 and 10.10.100.2.
Disabling Administration Protocols and Acquisition Protocols
All administration protocols (SNMP, Telnet, SSH, and so on) are consistently forwarded to the
switch’s axial processor aback the destination IP abode is any of the about-face layer
interfaces. Alike a User Datagram Agreement (UDP) datagram for a absent agreement is
forwarded to the about-face processor if it is absolutely addressed to one of the switch’s IP
addresses.
The alone way to anticipate an antagonist from calamity the axial processor with IP packets is
to use an ACL to bead the IP packets beatific accurately to the about-face (and to the directed
broadcast abode of the subnet and the advertisement IP abode of 255.255.255.255). Example
14-2 describes an ACL blocking all advertisement and directed advertisement (assuming a /24
subnet) packets while still acceptance DHCP.
A agnate acumen applies aback acquisition protocols are enabled on a Band 3 switch.
Routing protocols’ packets are beatific to an IP accumulation member’s addresses, such as 224.0.0.5
and 224.0.0.6, for Open Shortest Path First (OSPF) or 224.0.0.10 for Enhanced Interior
Gateway Acquisition Agreement (EIGRP). As anon as a Band 3 interface is appear by a
routing agreement (except for Border Gateway Agreement [BGP]), this interface becomes a
Example 14-1 Application ACL to Anticipate VRRP and HSRP Spoofing
IOS(config)# ip access-list continued NEITHER_VRRP_NOR_HSRP
IOS(config-ext-nacl)# acknowledgment Specific to VRRP
IOS(config-ext-nacl)# admittance 112 host 10.10.100.1 host 224.0.0.18
IOS(config-ext-nacl)# admittance 112 host 10.10.100.2 host 224.0.0.18
IOS(config-ext-nacl)# abjure 112 any any
IOS(config-ext-nacl)# acknowledgment Specific to HSRP
IOS(config-ext-nacl)# admittance udp host 10.10.100.1 host 224.0.0.2 eq 1985
IOS(config-ext-nacl)# admittance udp host 10.10.100.2 host 224.0.0.2 eq 1985
IOS(config-ext-nacl)# abjure udp any any eq 1985
IOS(config-ext-nacl)# admittance ip any any
IOS(config-ext-nacl)# exit
IOS(config)# interface vlan 100
IOS(config-if)# ip access-group NEITHER_VRRP_NOR_HSRP in
IOS(config-if)# exit
Example 14-2 ACL to Block All Advertisement Traffic
IOS(config)# ip access-list continued NO_BROADCAST
IOS(config-ext-nacl)# acknowledgment Bead all advertisement packets except DHCP
IOS(config-ext-nacl)# admittance udp any host 255.255.255.255 eq bootps
IOS(config-ext-nacl)# abjure ip any host 255.255.255.255
IOS(config-ext-nacl)# abjure ip any 0.0.0.255 255.255.255.0
IOS(config-ext-nacl)# admittance ip any any
IOS(config-ext-nacl)# exit
230 Chapter 14: Disabling Ascendancy Alike Protocols
member of those multicast groups. An IP ACL is abundant to anticipate calamity an OSPF group
member’s addresses, as Archetype 14-3 shows.
Using an ACL
As ahead discussed, depending on the about-face architecture, disabling a agreement might
be abortive to abate a DoS advance because the axial processor drops the frames;
therefore, the axial processor is heavily loaded, and the DoS succeeds. On those switches,
the alone way larboard to anticipate DoS attacks is to await on MAC ACL. This ACL is hardware
assisted and drops all frames after impacting the switch’s axial processor. For more
information on ACL accomplishing in the switches, apprehend Chapter 16, “Wire Speed Access
Control Lists.”
This ACL drops all frames, as Archetype 14-4 shows (from a Catalyst 6500 with Sup 720
running 12.2(18)SXF5, which allows the blueprint of an Ethertype anon in
hexadecimal):
• Destined to Cisco multicast 0100.0CCC.CCCC. To anticipate attacks adjoin CDP
(Ethertype 2003 in hexadecimal), VTP (Ethertype 2003), DTP (Ethertype 2004), and
PAgP (Ethertype 0104)
• Destined to IEEE apathetic agreement 0180.C200.0002. To anticipate attacks adjoin LACP
(Ethertype 8809)
Example 14-3 ACL to Block All Packets Beatific to OSPF Accumulation Members
IOS(config)# ip access-list continued NO_OSPF
IOS(config-ext-nacl)# abjure ip any host 224.0.0.5
IOS(config-ext-nacl)# abjure ip any host 224.0.0.6
IOS(config-ext-nacl)# admittance ip any any
IOS(config-ext-nacl)# exit
Example 14-4 Defining a MAC ACL
IOS(config)# mac access-list continued CONTROL_PROTOCOLS_ACL
IOS(config-ext-macl)# admittance any host 0100.0ccc.cccc 0104 0
IOS(config-ext-macl)# admittance any host 0100.0ccc.cccc 2000 0
IOS(config-ext-macl)# admittance any host 0100.0ccc.cccc 2003 0
IOS(config-ext-macl)# admittance any host 0100.0ccc.cccc 2004 0
IOS(config-ext-macl)# admittance any host 0180.c200.0002 8809 0
IOS(config-ext-macl)# exit
IOS(config)# vlan access-map CONTROL_PROTOCOLS_MAP 10
IOS(config-access-map)# bout mac abode CONTROL_PROTOCOLS_ACL
IOS(config-access-map)# activity drop
IOS(config-access-map)# exit
Configuring Switches After Ascendancy Alike Protocols 231
NOTE The blueprint of an Ethernet type, such as 2000, is not consistently accessible on all switches.
In this case, the ACL charge bout alone on the host abode 0100.0CCC.CCCC and
0180.C200.0002. This coarser ACL has the added account of absolutely blocking all Cisco
and IEEE ascendancy alike protocols, alike approaching or absent ones. Depending on your
configuration and aegis policy, you ability appetite to use the base ACL rather than what
Example 14-4 shows.
To block all IP packets destined to the Band 3 VLAN interfaces (in this case, 10.10.10.1
and 10.10.100.1), an IP ACL charge additionally be defined. It can be as simple as what Archetype 14-5
shows.
The above-mentioned IP ACL allows alone the Internet Ascendancy Message Agreement (ICMP) echo
request (for the ping command) and blocks all added packets addressed to any of the unicast
addresses (and directed advertisement addresses) of the switch. Albeit actuality simple, its length
Example 14-5 Defining an IP ACL
IOS(config)# ip access-list continued PACKETS_TO_CPU
IOS(config-ext-nacl)# acknowledgment Admittance the PING command
IOS(config-ext-nacl)# admittance icmp any any echo
IOS(config-ext-nacl)# acknowledgment Bead all packets beatific to a band 3 interface and
directed broadcast
IOS(config-ext-nacl)# abjure ip any host 10.10.10.1
IOS(config-ext-nacl)# abjure ip any host 10.10.10.255
IOS(config-ext-nacl)# # .... two curve par band 3 interface
IOS(config-ext-nacl)# abjure ip any host 10.10.100.1
IOS(config-ext-nacl)# abjure ip any host 10.10.100.255
IOS(config-ext-nacl)# acknowledgment Bead all advertisement packets except DHCP
IOS(config-ext-nacl)# admittance udp any host 255.255.255.255 eq bootps
IOS(config-ext-nacl)# abjure ip any host 255.255.255.255
IOS(config-ext-nacl)# acknowledgment Specific to VRRP
IOS(config-ext-nacl)# admittance 112 host 10.10.100.1 host 224.0.0.18
IOS(config-ext-nacl)# admittance 112 host 10.10.100.2 host 224.0.0.18
IOS(config-ext-nacl)# abjure 112 any any
IOS(config-ext-nacl)# acknowledgment Specific to HSRP
IOS(config-ext-nacl)# admittance udp host 10.10.100.1 host 224.0.0.2 eq 1985
IOS(config-ext-nacl)# admittance udp host 10.10.100.2 host 224.0.0.2 eq 1985
IOS(config-ext-nacl)# abjure udp any any eq 1985
IOS(config-ext-nacl)# acknowledgment Specific to OSPF
IOS(config-ext-nacl)# abjure ip any host 224.0.0.5
IOS(config-ext-nacl)# abjure ip any host 224.0.0.6
IOS(config-ext-nacl)# acknowledgment Specific to RIP adaptation 2
IOS(config-ext-nacl)# abjure ip any host 224.0.0.9
IOS(config-ext-nacl)# acknowledgment Specific to EIGRP
IOS(config-ext-nacl)# abjure ip any host 224.0.0.10
IOS(config-ext-nacl)# acknowledgment All added IP packets are allowed
IOS(config-ext-nacl)# admittance ip any any
IOS(config-ext-nacl)# exit
232 Chapter 14: Disabling Ascendancy Alike Protocols
depends on the cardinal of Band 3 interfaces of the switch. Defining a added all-encompassing ACL,
such as Archetype 14-6, has the account of attention after switches if the addressing
scheme makes it simple. (This ACL can be kept simple.) In Archetype 14-6, accept that all
the switches’ band interfaces are in the anatomy of 10.10.*.1.
Defining a Added All-encompassing IP ACL
IOS(config)# ip access-list continued PACKETS_TO_CPU
IOS(config-ext-nacl)# admittance icmp any any echo
IOS(config-ext-nacl)# acknowledgment Bead all packets beatific to a band 3 interface
IOS(config-ext-nacl)# abjure ip any 10.10.0.1 0.0.255.0
IOS(config-ext-nacl)# acknowledgment Bead all directed broadcast
IOS(config-ext-nacl)# abjure ip any 10.10.0.255 0.0.255.0
IOS(config-ext-nacl)# acknowledgment Specific to VRRP
IOS(config-ext-nacl)# # and so on, all added curve from Archetype 14-5
IOS(config-ext-nacl)# exit
These admission lists are again activated to all frames entering the VLAN 100 and all IP packets
destined to any Band 3 interface of the switch:
IOS(config)# vlan clarify CONTROL_PROTOCOLS_MAP vlan-list 100
IOS(config)# interface vlan 100
IOS(config-if)# ip access-group PACKETS_TO_CPU in
NOTE Besides the aegis adjoin DoS attacks, the above-mentioned ACL additionally makes the switch
stealth. For example, a analysis tool, such as nmap, won’t be able to ascertain the switch;
this improves the network’s operational security.