3.1.1.2 Configure EIGRP Passive interfaces for interfaces that do not have peers

Information

EIGRP both listens on and advertises on all interfaces that have IPs in subnets that are defined as 'networks' in the EIGRP configuration.
Ensure that interfaces that do not 'face' an EIGRP peer are set to passive.

Rationale:

If an interface is set to 'passive', then EIGRP will not advertise out of that interface or listen on that interface for EIGRP neighbors. By default, all interfaces advertise via multicast to solicit EIGRP neighbors, and also listen for neighbor advertisements.

Impact:

If an interface is set to the default (ie - not passive), then an attacker can pose as an EIGRP peer, either to collect EIGRP information from advertisements or to inject bogus routes into the table. Bogus routes can then be used to DOS that subnet, or to intercept traffic to or from that subnet either to eavesdrop on conversations or to modify data in transit.

Quite often the goal of an attack of this type is to collect login credentials from a malicious copy of the target website.

Solution

If some IP interfaces have peers and some do not, set the ones with no peers to 'passive'

switch(config-if)# int vlan 1
switch(config-if)# ip passive-interface eigrp <EIGRP process number>

Default Value:

By default, passive interfaces are not configured.

See Also

https://workbench.cisecurity.org/benchmarks/6524