[c-nsp] Broadcast storm control
Justin Shore
justin at justinshore.com
Tue Nov 6 12:33:20 EST 2007
Apparently I forgot to click the Send button last night.
What process consumed the router's resources during the bcast storm? IP
Input? What's the router? The type of device will dictate our suggestions.
I'd take a number of steps to secure the interface and harden the
router. Assuming it's a basic router I'd first disable all unneeded
features on the interface. Of course if it's a switchport then you have
another list of things to do on top of securing your SVIs. You've
probably already included all this good stuff in your interface
templates but it doesn't hurt to check. Refer to Et2/0 in this doc:
http://www.cymru.com/Documents/secure-ios-template.html
http://www.cymru.com/gillsr/documents/catalyst-secure-template.htm
Next I'd implement control-plane policing (CoPP). CoPP will let you
restrict access to the control-plane of your router. This will be the
single biggest thing you can do to harden your RP. These docs from
Cisco are pretty good:
http://tinyurl.com/2npd28
http://tinyurl.com/39h335
You need to read up on your platforms of choice and how CoPP applies to
them because not all platforms are the same and many features are
platform dependent. The Cisco Press title "LAN Switch Security" also
has a nice section on implementing CoPP on a few different platforms,
though it could be even more detailed (I think the topic could fill an
entire volume). This book is actually quite excellent at numerous
aspects of L2 and some L3 security measures. I highly recommend it:
http://tinyurl.com/39ntqf
The book discusses how to harden HSRP, VLANs, VTP and trunk ports and
how to prevent ARP attacks, STP attacks, etc. It has a good 802.1x
section as well. It's got a good amount of useful info.
I think CoPP will help you out. Identify the traffic that's causing the
DoS right now and address it with CoPP. There are a lot of CoPP users
on C-NSP. Then go back and harden the router later.
Justin
Michael Malitsky wrote:
> Last week one of my customers DoS'd me - they managed to create a wire
> loop between their switches, with no STP. The resulting broadcast storm
> killed the CPU on my access router (their default gateway). Does anyone
> have any pointers or best practices on how I can protect the router
> without having access to the switches beyond it?
More information about the cisco-nsp
mailing list