Detections
Analytics
CISC-ND-001220 - The Cisco router must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
Information
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
The security safeguards cannot be defined at the DoD level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (e.g., firewalls performing packet filtering to block DoS attacks).
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure the Cisco router to protect against known types of DoS attacks on the route processor. Implementing a CoPP policy as shown in the example below is a best practice method.Step 1: Configure ACLs specific traffic types.
R1(config)#ip access-list extended CoPP_CRITICAL
R1(config-ext-nacl)#remark our control plane adjacencies are critical
R1(config-ext-nacl)#permit ospf host x.x.x.x any
R1(config-ext-nacl)#permit ospf host x.x.x.x any
R1(config-ext-nacl)#permit pim host x.x.x.x any
R1(config-ext-nacl)#permit pim host x.x.x.x any
R1(config-ext-nacl)#permit igmp any 224.0.0.0 15.255.255.255
R1(config-ext-nacl)#permit tcp host x.x.x.x eq bgp host x.x.x.x
R1(config-ext-nacl)#deny ip any any
R1(config-ext-nacl)#exit
R1(config)#ip access-list extended CoPP_IMPORTANT
R1(config-ext-nacl)#permit tcp host x.x.x.x eq tacacs any
R1(config-ext-nacl)#permit tcp x.x.x.x 0.0.0.255 any eq 22
R1(config-ext-nacl)#permit udp host x.x.x.x any eq snmp
R1(config-ext-nacl)#permit udp host x.x.x.x eq ntp any
R1(config-ext-nacl)#deny ip any any
R1(config-ext-nacl)#exit
R1(config)#ip access-list extended CoPP_NORMAL
R1(config-ext-nacl)#remark we will want to rate limit ICMP traffic
R1(config-ext-nacl)#permit icmp any any echo
R1(config-ext-nacl)#permit icmp any any echo-reply
R1(config-ext-nacl)#permit icmp any any time-exceeded
R1(config-ext-nacl)#permit icmp any any unreachable
R1(config-ext-nacl)#deny ip any any
R1(config-ext-nacl)#exit
R1(config)#ip access-list extended CoPP_UNDESIRABLE
R1(config-ext-nacl)#remark management plane traffic that should not be received
R1(config-ext-nacl)#permit udp any any eq ntp
R1(config-ext-nacl)#permit udp any any eq snmp
R1(config-ext-nacl)#permit tcp any any eq 22
R1(config-ext-nacl)#permit tcp any any eq 23
R1(config-ext-nacl)#remark control plane traffic not configured on router
R1(config-ext-nacl)#permit eigrp any any
R1(config-ext-nacl)#permit udp any any eq rip
R1(config-ext-nacl)#deny ip any any
R1(config-ext-nacl)#exit
R1(config)#ip access-list extended CoPP_DEFAULT
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit
Step 2: Configure class maps referencing each of the ACLs.
R1(config)#class-map match-all CoPP_CRITICAL
R1(config-cmap)#match access-group name CoPP_CRITICAL
R1(config-cmap)#class-map match-any CoPP_IMPORTANT
R1(config-cmap)#match access-group name CoPP_IMPORTANT
R1(config-cmap)#match protocol arp
R1(config-cmap)#class-map match-all CoPP_NORMAL
R1(config-cmap)#match access-group name CoPP_NORMAL
R1(config-cmap)#class-map match-any CoPP_UNDESIRABLE
R1(config-cmap)#match access-group name CoPP_UNDESIRABLE
R1(config-cmap)#class-map match-all CoPP_DEFAULT
R1(config-cmap)#match access-group name CoPP_DEFAULT
R1(config-cmap)#exit
Step 3: Configure a policy map referencing the configured class maps and apply appropriate bandwidth allowance and policing attributes.
R1(config)#policy-map CONTROL_PLANE_POLICY
R1(config-pmap)#class CoPP_CRITICAL
R1(config-pmap-c)#police 512000 8000 conform-action transmit exceed-action transmit
R1(config-pmap-c-police)#class CoPP_IMPORTANT
R1(config-pmap-c)#police 256000 4000 conform-action transmit exceed-action drop
R1(config-pmap-c-police)#class CoPP_NORMAL
R1(config-pmap-c)#police 128000 2000 conform-action transmit exceed-action drop
R1(config-pmap-c-police)#class CoPP_UNDESIRABLE
R1(config-pmap-c)#police 8000 1000 conform-action drop exceed-action drop
R1(config-pmap-c-police)#class CoPP_DEFAULT
R1(config-pmap-c)#police 64000 1000 conform-action transmit exceed-action drop
R1(config-pmap-c-police)#exit
R1(config-pmap-c)#exit
R1(config-pmap)#exit
Step 4: Apply the policy map to the control plane.
R1(config)#control-plane
R1(config-cp)#service-policy input CONTROL_PLANE_POLICY
R1(config-cp)#end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Router_Y24M07_STIG.zip
Item Details
Audit Name: DISA STIG Cisco IOS Router NDM v3r1
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Rule-ID|SV-215701r961620_rule, STIG-ID|CISC-ND-001220, STIG-Legacy|SV-105287, STIG-Legacy|V-96149, Vuln-ID|V-215701
Plugin: Cisco
Control ID: 161579421f9d621f915e58b1a58938d1edc9bde1b575e96d7213bc1367e7c924