Learn how to configure a Cisco router to protect it from ICMP attacks.
In a previous article on basic Cisco router security, I described my concern about a client who didn't use a firewall with its Internet-connected Cisco router. Even though I demonstrated how vulnerable the router was and recommended using a firewall, the client countered with all sorts of reasons why that was not feasible.
In this article and video, I want to share a configuration change that I recommended to the customer in lieu of a firewall. Of course nothing is a proper substitute for a real firewall, but sometimes we need to make do with what we have. There are quite a few documents out there explaining how to harden your router. This tip protects you specifically from ICMP attacks or ping flooding.
My client did not want to block pings altogether since the company uses ping for troubleshooting and monitoring. At first I suggested a simple access list to allow only their management stations IP address, but soon realized that wouldn’t work in their environment. For example, the IT staff sometimes pings from home after hours or from phones, which makes the IP address fairly random.
I showed them that they can limit the ping rate the router will accept and suggested we test it to make sure it works as expected.
In the video below, I used hrPing, which is a free download from cFos Software, to ping the router excessively. Microsoft pings with a one-second interval, but with hrPing, I can go as low as one millisecond.
The Cisco commands I used are:
access-list 111 permit icmp any echo
access-list 111 permit icmp any any echo-reply
rate-limit input access-group 111 22000 22000 22000 conform-action transmit exceed-action drop
I used Cisco counters, Wireshark and simple observation to see the impact of the configuration and it seemed to work just fine.
As with any configuration changes, I advise monitoring the router's memory and CPU load to ensure that this change doesn’t hurt performance.