[c-nsp] Broadcast storm control

Justin Shore justin at justinshore.com
Tue Nov 6 12:33:20 EST 2007


Apparently I forgot to click the Send button last night.


What process consumed the router's resources during the bcast storm?  IP 
Input?  What's the router?  The type of device will dictate our suggestions.

I'd take a number of steps to secure the interface and harden the 
router.  Assuming it's a basic router I'd first disable all unneeded 
features on the interface.  Of course if it's a switchport then you have 
another list of things to do on top of securing your SVIs.  You've 
probably already included all this good stuff in your interface 
templates but it doesn't hurt to check.  Refer to Et2/0 in this doc:

http://www.cymru.com/Documents/secure-ios-template.html
http://www.cymru.com/gillsr/documents/catalyst-secure-template.htm

Next I'd implement control-plane policing (CoPP).  CoPP will let you 
restrict access to the control-plane of your router.  This will be the 
single biggest thing you can do to harden your RP.  These docs from 
Cisco are pretty good:

http://tinyurl.com/2npd28
http://tinyurl.com/39h335

You need to read up on your platforms of choice and how CoPP applies to 
them because not all platforms are the same and many features are 
platform dependent.  The Cisco Press title "LAN Switch Security" also 
has a nice section on implementing CoPP on a few different platforms, 
though it could be even more detailed (I think the topic could fill an 
entire volume).  This book is actually quite excellent at numerous 
aspects of L2 and some L3 security measures.  I highly recommend it:

http://tinyurl.com/39ntqf

The book discusses how to harden HSRP, VLANs, VTP and trunk ports and 
how to prevent ARP attacks, STP attacks, etc.  It has a good 802.1x 
section as well.  It's got a good amount of useful info.

I think CoPP will help you out.  Identify the traffic that's causing the 
DoS right now and address it with CoPP.  There are a lot of CoPP users 
on C-NSP.  Then go back and harden the router later.

Justin



Michael Malitsky wrote:
> Last week one of my customers DoS'd me - they managed to create a wire
> loop between their switches, with no STP.  The resulting broadcast storm
> killed the CPU on my access router (their default gateway).  Does anyone
> have any pointers or best practices on how I can protect the router
> without having access to the switches beyond it?



More information about the cisco-nsp mailing list