Scribd Logo
Upload

Welcome to Scribd!

  • 35 views

    Control Plane Policing: CCIE Security V4 Technology Labs Section 1: System Hardening and Availability

    Uploaded by

    Triệu Hồng Biên
    The document describes configuring control plane policing on router R3 to prevent a UDP denial of service attack. Control plane policing uses class-maps, policy-maps, and service policies to rate limit UDP traffic to 16 Kbps while leaving other traffic unimpeded. Applying this policy brought the router CPU utilization back down from over 80% during the attack to under 15%.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Control Plane Policing: CCIE Security V4 Technology Labs Section 1: System Hardening and Availability

    Uploaded by

    Triệu Hồng Biên
    35 views7 pages
    The document describes configuring control plane policing on router R3 to prevent a UDP denial of service attack. Control plane policing uses class-maps, policy-maps, and service policies to rate limit UDP traffic to 16 Kbps while leaving other traffic unimpeded. Applying this policy brought the router CPU utilization back down from over 80% during the attack to under 15%.

    Original Description:

    New Document

    Original Title

    Congestion Management

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document describes configuring control plane policing on router R3 to prevent a UDP denial of service attack. Control plane policing uses class-maps, policy-maps, and service policies to rate limit UDP traffic to 16 Kbps while leaving other traffic unimpeded. Applying this policy brought the router CPU utilization back down from over 80% during the attack to under 15%.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    35 views7 pages

    Control Plane Policing: CCIE Security V4 Technology Labs Section 1: System Hardening and Availability

    Uploaded by

    Triệu Hồng Biên
    The document describes configuring control plane policing on router R3 to prevent a UDP denial of service attack. Control plane policing uses class-maps, policy-maps, and service policies to rate limit UDP traffic to 16 Kbps while leaving other traffic unimpeded. Applying this policy brought the router CPU utilization back down from over 80% during the attack to under 15%.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 7

    CCIE Security V4 Technology Labs  Section 1:

    System Hardening and Availability


    Control Plane Policing
    Last updated: May 3, 2013

    Task
    Load the starting configuration files for this task.
    Using Control Plane Policing, prevent R3 from being flooded with UDP DoS attack packets.
    UDP packets should be limited to 16 Kbps.
    Other traffic to the router should be left unimpeded.

    Explanation and Verification


    The router itself is susceptible to attack when UDP packets are flooded at or near line rate with the
    intention of overwhelming the recipient. If these packets are destined for the router itself, each
    packet gets punted from hardware to software processing. This consumes expensive CPU and
    memory resources.

    You can begin this task by getting a baseline. Look at the CPU on R3 with nothing happening in the
    network.
    R3#sh proc
    R3#sh processes cpu sorted
    CPU utilization for five seconds: 1%/0%; one minute: 1%; five minutes: 1%
    PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
    PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
    114 8 296567 0 0.55% 0.54% 0.54% 0 Ethernet Msec Ti

    12 24 33 727 0.23% 0.03% 0.00% 0 Exec

    138 16 74435 0 0.15% 0.11% 0.10% 0 IPAM Manager

    66 8 2392 3 0.07% 0.02% 0.00% 0 Per-Second Jobs

    284 4 72684 0 0.07% 0.06% 0.07% 0 MMON MENG

    142 176 659 267 0.07% 0.04% 0.01% 0 IP Input

    6 3248 349 9306 0.00% 0.12% 0.11% 0 Check heaps

    7 0 1 0 0.00% 0.00% 0.00% 0 Pool Manager

    8 0 1 0 0.00% 0.00% 0.00% 0 DiscardQ Backgro

    10 4 80 50 0.00% 0.00% 0.00% 0 WATCH_AFS

    Next, on the Test PC, launch a UDP attack against R3's IP address using UDP unicorn.
    Now look at the CPU again.
    R3#
    R3#sh processes cpu sorted
    CPU utilization for five seconds: 87%/29%; one minute: 65%; five minutes: 25%
    PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
    142 80924 7339 11026 55.95% 41.62% 15.64% 0 IP Input

    6 3868 407 9503 0.95% 0.21% 0.13% 0 Check heaps

    114 2420 330309 7 0.47% 0.56% 0.55% 0 Ethernet Msec Ti

    48 340 3971 85 0.31% 0.18% 0.07% 0 Net Background

    138 552 83649 6 0.15% 0.12% 0.11% 0 IPAM Manager

    301 24 2706 8 0.07% 0.00% 0.00% 0 Crypto Device Up

    284 380 82542 4 0.07% 0.08% 0.07% 0 MMON MENG

    185 4 50 80 0.07% 0.00% 0.00% 0 IP Background

    9 0 2 0 0.00% 0.00% 0.00% 0 Timers

    10 4 81 49 0.00% 0.00% 0.00% 0 WATCH_AFS

    8 0 1 0 0.00% 0.00% 0.00% 0 DiscardQ Backgro

    As you can see, with the little flood we have done the CPU has increased substantially. Now we
    can deploy the policing requirements.

    Control-plane policing is done using the same type of command set as the MQC, that of class-map,
    policy-map, and service-policy. Create the required elements and apply them to the control-plane,
    as shown below.
    R3#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    R3(config)#ip access-l extended UDP-Floods
    R3(config-ext-nacl)#permit udp any any
    R3(config-ext-nacl)#exit
    R3(config)#class-map match-all UDP
    R3(config-cmap)#match access-group name UDP-Floods
    R3(config-cmap)#
    R3(config-cmap)#policy-map 1.8
    R3(config-pmap)#class UDP
    R3(config-pmap-c)#police 16000 conform-action transmit exceed-action drop
    R3(config-pmap-c-police)#exit
    R3(config-pmap-c)#
    R3(config-pmap-c)#control-plane
    R3(config-cp)#serv
    R3(config-cp)#service-policy input 1.8
    R3(config-cp)#end
    R3#

    Look at the service-policy to see how it's applied.

    R3#show policy-map control-plane


    Control Plane

    Service-policy input: 1.8

    Class-map: UDP (match-all)


    3 packets, 417 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: access-group name UDP-Floods
    police:
    cir 16000 bps, bc 1500 bytes
    conformed 3 packets, 417 bytes; actions:
    transmit
    exceeded 0 packets, 0 bytes; actions:
    drop
    conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)


    5 packets, 444 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: any
    R3#
    Relaunch the attack and check the service-policy again.

    R3#show policy-map control-plane


    Control Plane

    Service-policy input: 1.8

    Class-map: UDP (match-all)


    45984 packets, 67450959 bytes
    5 minute offered rate 1522000 bps, drop rate 1521000 bps
    Match: access-group name UDP-Floods
    police:
    cir 16000 bps, bc 1500 bytes
    conformed 25 packets, 21664 bytes; actions:
    transmit
    exceeded 45959 packets, 67429295 bytes; actions:
    drop
    conformed 5000 bps, exceed 12843000 bps

    Class-map: class-default (match-any)


    10 packets, 896 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: any

    As you can see, the policy is being matched. Now look at the CPU again.
    R3#sh processes cpu sorted
    CPU utilization for five seconds: 56%/56%; one minute: 11%; five minutes: 10%
    PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
    114 4860 385470 12 3.67% 1.16% 0.68% 0 Ethernet Msec Ti

    138 1008 97289 10 0.79% 0.23% 0.14% 0 IPAM Manager

    284 660 96315 6 0.31% 0.13% 0.09% 0 MMON MENG

    113 300 20670 14 0.23% 0.05% 0.00% 0 Ethernet Timer C

    153 148 3056 48 0.15% 0.02% 0.00% 0 OSPF-1 Router

    307 124 15726 7 0.15% 0.03% 0.00% 0 Atheros LED Ctro

    18 56 3072 18 0.15% 0.01% 0.00% 0 IPC Deferred Por

    12 308 536 574 0.15% 0.06% 0.02% 0 Exec

    226 84 6019 13 0.07% 0.00% 0.00% 0 CCE DP URLF cach

    79 252 12355 20 0.07% 0.02% 0.00% 0 Netclock Backgro

    43 52 3085 16 0.07% 0.00% 0.00% 0 GraphIt

    As you can see, the flood is kept at bay by the policer.

    You might also like