Control Plane Attack

Control plane functions consist of the protocols and processes that communicate between network devices to move data from source to destination. This includes routing protocols such as the Border Gateway Protocol, as well as protocols like ICMP and the Resource Reservation Protocol (RSVP).

Protection of the control plane of a network device is critical because the control plane ensures that the management and data planes are maintained and operational. If the control plane were to become unstable during a security incident, it can be impossible for you to recover the stability of the network.

In many cases, disabling the reception and transmission of certain types of messages on an interface can minimize the amount of CPU load that is required to process unneeded packets.

Mitigation

Disable ICMP Redirects, ICMP Unreachables, Proxy ARP, Avoid Process Switching, Control Plane Protection, Control Plane Policing, Routing Protocol Protection, Infrastructure ACLs

Disable ICMP Redirects

An ICMP redirect message can be generated by a router when a packet is received and transmitted on the same interface. In this situation, the router forwards the packet and sends an ICMP redirect message back to the sender of the original packet. This behavior allows the sender to bypass the router and forward future packets directly to the destination (or to a router closer to the destination). In a properly functioning IP network, a router sends redirects only to hosts on its own local subnets. In other words, ICMP redirects should never go beyond a Layer 3 boundary.

There are two types of ICMP redirect messages: redirect for a host address and redirect for an entire subnet. A malicious user can exploit the ability of the router to send ICMP redirects by continually sending packets to the router, forcing the router to respond with ICMP redirect messages, resulting in an adverse impact on the CPU and performance of the router. In order to prevent the router from sending ICMP redirects, use the no ip redirects interface configuration command.

Disable ICMP Unreachables

Filtering with an interface access list elicits the transmission of ICMP unreachable messages back to the source of the filtered traffic. Generating these messages can increase CPU utilization on the device. In Cisco IOS software, ICMP unreachable generation is limited to one packet every 500 milliseconds by default. ICMP unreachable message generation can be disabled using the interface configuration command no ip unreachables. ICMP unreachable rate limiting can be changed from the default using the global configuration command ip icmp rate-limit unreachable interval-in-ms.

Disable Proxy ARP

Proxy ARP is the technique in which one device, usually a router, answers ARP requests that are intended for another device. By “faking” its identity, the router accepts responsibility for routing packets to the real destination. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing or a default gateway.

There are several disadvantages to utilizing proxy ARP. Utilizing proxy ARP can result in an increase in the amount of ARP traffic on the network segment and resource exhaustion and man-in-the-middle attacks. Proxy ARP presents a resource exhaustion attack vector because each proxied ARP request consumes a small amount of memory. An attacker can be able to exhaust all available memory by sending a large number of ARP requests.

Man-in-the-middle attacks enable a host on the network to spoof the MAC address of the router, resulting in unsuspecting hosts sending traffic to the attacker. Proxy ARP can be disabled using the interface configuration command no ip proxy-arp.

Avoid Process Switching Traffic

Process switched traffic normally consists of two different types of traffic. The first type of traffic is directed to the Cisco IOS device and must be handled directly by the Cisco IOS device CPU. This traffic consists of this category:

  • Receive adjacency traffic—This traffic contains an entry in the Cisco Express Forwarding (CEF) table whereby the next router hop is the device itself, which is indicated by the term receive in the show ip cef Command Line Interface (CLI) output. This indication is the case for any IP address that requires direct handling by the Cisco IOS device CPU, which includes interface IP addresses, multicast address space, and broadcast address space.

The second type of traffic that is handled by the CPU is data plane traffic—traffic with a destination beyond the Cisco IOS device itself—which requires special processing by the CPU. Although not an exhaustive list of CPU impacting data plane traffic, these types of traffic are process switched and can therefore affect the operation of the control plane:

  • Access Control List logging—ACL logging traffic consists of any packets that are generated due to a match (permit or deny) of an ACE on which the log keyword is used.
  • Unicast Reverse Path Forwarding (Unicast RPF)—Unicast RPF, used in conjunction with an ACL, can result in the process switching of certain packets.
  • IP Options—Any IP packets with options included must be processed by the CPU.
  • Fragmentation—Any IP packet that requires fragmentation must be passed to the CPU for processing.
  • Time-to-live (TTL) Expiry—Packets which have a TTL value less than or equal to 1 require Internet Control Message Protocol Time Exceeded (ICMP Type 11, Code 0) messages to be sent, which results in CPU processing.
  • ICMP Unreachables—Packets that result in ICMP unreachable messages due to routing, MTU, or filtering is processed by the CPU.
  • Traffic Requiring an ARP Request—Destinations for which an ARP entry does not exist require processing by the CPU.
  • Non-IP Traffic—All non-IP traffic is processed by the CPU.

Control Plane Protection

Control Plane Protection (CPPr) can be used in order to restrict or police control plane traffic by the CPU of a Cisco IOS device. While similar to CoPP, CPPr has the ability to restrict or police traffic using finer granularity than CoPP.

Control Plane Policing

The Control Plane Policing (CoPP) feature can be used in order to restrict IP packets that are destined to the infrastructure device. In this example, only SSH traffic from trusted hosts is permitted to reach the Cisco IOS device CPU.

Infrastructure ACLs

Devised to prevent unauthorized direct communication to network devices, infrastructure access control lists (iACLs) are one of the most critical security controls that can be implemented in networks. An iACL is constructed and applied to specify connections from hosts or networks that need to be allowed to network devices. Common examples of these types of connections are eBGP, SSH, and SNMP.

An iACL is constructed and applied to specify connections from hosts or networks that need to be allowed to network devices. Common examples of these types of connections are eBGP, SSH, and SNMP. After the required connections have been permitted, all other traffic to the infrastructure is explicitly denied. All transit traffic that crosses the network and is not destined to infrastructure devices is then explicitly permitted.