Keeping the router away from dictionary DoS attacks
DoS dictionary attacks against routers can allow attackers to gain access to Cisco routers or may cause users to be unable to use the router. In this article, you can find how to use the enhanced login feature of the Cisco network operating system to prevent such attacks.
You may not have recognized that using a dictionary denial of service (DoS) attack against Telnet, SSH, or HTTP ports may successfully attack your Cisco router. In fact, I bet that even if most network administrators don't have all of these ports open, they will at least open one of them for router management.
Of course, it is much more dangerous to open these ports on the public network than to open these ports on the private network. However, whether it is open to public or private, you need to protect your router from dictionary DoS attacks, through which an attacker may gain access to the router or create a simple service exit in your network.
However, because there are enhanced login functions in network operating system 12.3(4)T and later versions, you can provide additional protection for your router. These new enhanced login features offer the following advantages:
After discovering continuous login attempts, create a login delay.
If too many login attempts fail, login will no longer be allowed.
Create corresponding login information in the system log or send SNMP traps to warn and record additional information about failures and unauthorized login.
How do you know if your router contains these codes? The easiest way to find is to go to "Global Configuration Mode" and enter "login"". This command will return a selection list, which is displayed as follows:
block-for---- Used to set the quiet mode activity time period.
delay----sets the time interval for consecutive failed login.
on-failure--------------------------------------------------------------------------------------------------------------------------
on-success--------------------------------------------------------------------------------------------------------------------------
quiet-mode--Option to set quiet mode.
If this code is not available in your router's network operating system, it will return an "unrecognized command" error.
If this feature is not available in your router, use the Cisco Network Operating System feature navigation to find this feature for your router (see Cisco Network Operating System Enhanced Login Features) You can also use this tool to find other features you need. Remember that downloading network operating system code and accessing feature navigation tools requires Cisco's maintenance contract.
The most basic base table command used to configure these functions is the login block-for command, which is the only command. Once you activate this command, its default login delay time is one second. During the time specified, if the maximum number of attempts to log in exceeds the number of times you have given, the system will reject all login attempts.
In global configuration mode, execute the following command:
login block-for (How long does it take to reject all login attempts)
attempts (if the number of logins exceeds this number) within (within how many seconds)
Here is an example
login block-for 120 attempts 5 within 60
This command configures the system as follows: If five login failures within 60 seconds, the router system will deny all logins within 120 seconds. If you enter show login at this time, you will receive the following output information:
By default, the login delay time is one second.
The Quiet Mode Access List is not configured.
The router activates the login attack monitoring program.
If there are five login failures in about 60 seconds,
The system will disable login operation for 120 seconds.
The router is currently in normal mode.
The current monitoring window is 54 seconds left.
The current login failure is 0.
This information shows your settings, including the default login delay time of one second, and other additional information. It also tells you that the router is currently in normal mode, which means that the router also allows you to log in at the moment.
If the router thinks someone is attacking it, it will go into quiet mode and start denying all login operations. You can also configure an ACL that explains which hosts and network exceptions this router will allow these hosts and networks to log into the router, whether in quiet mode or otherwise.
Here are some of the options for configuring the system in these commands:
Login Delay (Number): The number of seconds to increase the delay after the invalid login. You can choose any number between 1 and 10.
Login failed and login successful: These options allow you to select the type of log and SNMP warning to be used when login succeeds or fails.
Log in to the quiet mode access class (ACL number): Add the ACL number. Use this option to add an isolated list. Whether the router is in quiet mode or in normal mode, the host and network in this list can log in to the router.
Normally, for security, I recommend activating the login block-for option on all routers. These new features will help you better ensure the security of your router.
If you happen to be doing this and you are not ready yet, consider using SSH only on your router and allowing access from the intranet only. SSH encrypts all communication information from the PC to the router (including username and password).
To get reference information for all commands for these new features, log in to Cisco IOS Login Enhancements Documentation.
Article entry: csh Editor in charge: csh