Protecting A Cisco Router From Ping Flooding
In a previous article on basic Cisco router security, I described my concern about a client who didn't use a firewall with its Internet-connected Cisco router. Even though I demonstrated how vulnerable the router was and recommended using a firewall, the client countered with all sorts of reasons why that was not feasible.
In this article and video, I want to share a configuration change that I recommended to the customer in lieu of a firewall. Of course nothing is a proper substitute for a real firewall, but sometimes we need to make do with what we have. There are quite a few documents out there explaining how to harden your router. This tip protects you specifically from ICMP attacks or ping flooding.
My client did not want to block pings altogether since the company uses ping for troubleshooting and monitoring. At first I suggested a simple access list to allow only their management stations IP address, but soon realized that wouldn’t work in their environment. For example, the IT staff sometimes pings from home after hours or from phones, which makes the IP address fairly random.
I showed them that they can limit the ping rate the router will accept and suggested we test it to make sure it works as expected.
In the video below, I used hrPing, which is a free download from cFos Software, to ping the router excessively. Microsoft pings with a one-second interval, but with hrPing, I can go as low as one millisecond.
The Cisco commands I used are:
access-list 111 permit icmp any echo
access-list 111 permit icmp any any echo-reply
rate-limit input access-group 111 22000 22000 22000 conform-action transmit exceed-action drop
I used Cisco counters, Wireshark and simple observation to see the impact of the configuration and it seemed to work just fine.
As with any configuration changes, I advise monitoring the router's memory and CPU load to ensure that this change doesn’t hurt performance.
Recommended For You
Businesses can make their organizations more secure while increasing employee productivity with fast, global wireless connectivity.
It’s no secret that as far as IT security goes, the healthcare space could be a whole lot better. How did things get so dire? And what can we do about it?
A basic, layered approach to DNS security can dramatically reduce the chances of DNS and BGP-related compromise. Here are three essential, preventative measures that organizations should implement.
The IIoT is here. Now it's time to make sure that security issues won't derail its value.
A security team with a broader view of issues can provide better plans and solutions to problems and the ability to react effectively and quickly in a security emergency.
By teaming up to address key technical and organizational issues, information and operational security teams can improve the resiliency and safety of their infrastructure systems.