Protecting A Cisco Router From Ping Flooding
In a previous article on basic Cisco router security, I described my concern about a client who didn't use a firewall with its Internet-connected Cisco router. Even though I demonstrated how vulnerable the router was and recommended using a firewall, the client countered with all sorts of reasons why that was not feasible.
In this article and video, I want to share a configuration change that I recommended to the customer in lieu of a firewall. Of course nothing is a proper substitute for a real firewall, but sometimes we need to make do with what we have. There are quite a few documents out there explaining how to harden your router. This tip protects you specifically from ICMP attacks or ping flooding.
My client did not want to block pings altogether since the company uses ping for troubleshooting and monitoring. At first I suggested a simple access list to allow only their management stations IP address, but soon realized that wouldn’t work in their environment. For example, the IT staff sometimes pings from home after hours or from phones, which makes the IP address fairly random.
I showed them that they can limit the ping rate the router will accept and suggested we test it to make sure it works as expected.
In the video below, I used hrPing, which is a free download from cFos Software, to ping the router excessively. Microsoft pings with a one-second interval, but with hrPing, I can go as low as one millisecond.
The Cisco commands I used are:
access-list 111 permit icmp any echo
access-list 111 permit icmp any any echo-reply
rate-limit input access-group 111 22000 22000 22000 conform-action transmit exceed-action drop
I used Cisco counters, Wireshark and simple observation to see the impact of the configuration and it seemed to work just fine.
As with any configuration changes, I advise monitoring the router's memory and CPU load to ensure that this change doesn’t hurt performance.
Recommended For You
Network security is complex and challenging. If you want to strengthen your network security, never follow these four tips.
In the case of cloud-deployed systems that have exposed our data, that silver lining is that we know more about where and how these breaches occur.
IT and security teams must work together to ensure a company’s entire infrastructure is protected, regardless if workloads are run on-premises or in the cloud.
Intent-based segmentation can interpret business and security requirements and converts that into a segmentation policy that protects and isolates resources.
DNSSEC authentication helps to ensure that a compromised DNS server won't send you to a hijacked server when you point a browser to a specific domain name.