Networking

Protect your router from a dictionary DoS attack

A DoS dictionary attack could result in an attacker gaining access to one of your Cisco routers or making it unavailable to users. Find out how you can use Cisco IOS Login Enhancements to combat these attacks.

Want to learn more about router and switch management? Click this link to automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

You may not realize it, but a dictionary denial of service (DoS) attack on Telnet, SSH, or HTTP ports could hit your Cisco router. In fact, I bet most network administrators have at least one, if not more, of these ports open for router management.

Of course, having these ports open to a public network is much more dangerous than leaving them open on a private network. But either way, you need to do whatever you can to protect your routers from a dictionary DoS attack, which attackers could use to gain access to your router or simply create a service outage on your network.

Thanks to login enhancements in IOS 12.3(4)T and later, you can provide your routers with additional protection. These new login enhancements offer the following benefits:

  • Create delays between successive login attempts.
  • Disallow login if there are too many failed login attempts.
  • Create messages in the system log or send SNMP traps that alert/record additional information about the failed and disallowed logins.

How do you know if your router contains the appropriate code? The simplest way to find out is to go to Global Configuration Mode and enter login ? This command returns a list of choices, as shown below:

block-for       Set quiet-mode active time period
delay           Set delay between successive fail login
on-failure      Set options for failed login attempt
on-success      Set options for successful login attempt
quiet-mode      Set quiet-mode options

If you don't have this code in your IOS, it will return an "Unrecognized command" error.

If you don't have the feature, use the Cisco IOS Feature Navigator to find the code for your router that has this feature. (Look for Cisco IOS Login Enhancements.) You can also use this tool to search for other features that you need. Keep in mind that a Cisco maintenance contract is necessary to download IOS code and access the Feature Navigator.

The only command required to configure the most basic form of these features is the login block-for command. Once you've enabled this command, there's a default login delay of one second. The system will deny all logins for a specified number of seconds if the maximum number of tries occurs within the time you indicate.

In global configuration mode, execute the following:

login block-for <number of seconds to block out all logins> 
attempts <if this number of login tries are made> within <this
number of seconds>

Here's an example:

login block-for 120 attempts 5 within 60

This command configures the system to deny all logins to the router if there are five failed login attempts within 60 seconds. Then, if you enter show login, you'll receive the following output:

A default login delay of 1 second is applied.
No Quiet-Mode access list has been configured.

Router enabled to watch for login attacks. If more than 5 login failures occur in 60 seconds or less, logins will be disabled for 120 seconds.
Router presently in Normal-Mode. Current Watch Window remaining time 54 seconds. Present login failure count 0.

This shows you the setting you've configured, including the default login delay of one second, along with additional information. It also tells you that the router is in Normal Mode, which means that the router is currently allowing logins.

The router goes into Quiet Mode when it believes something has attacked it, and it begins denying all logins. You can also configure an ACL that will serve as an exclusion list of hosts/networks that the router will allow, regardless of whether it's in Quiet Mode.

Here are some options to configure some of these other commands:

  • login delay <number>: Add the number of seconds of delay between failed logins. You can choose one to 10 seconds.
  • login on-failure and login on-success: This allows you to choose the type of logging/SNMP alerts when there are failed and successful logins.
  • login quiet-mode access-class <ACL number>: Add the ACL number, and this allows you to enter an exclusion list of hosts/networks allowed to log in to the router, regardless of whether the router is in Quiet or Normal Mode.

In general, I suggest enabling login block-for on all routers for security purposes. These new features will help better secure your routers.

And while you're at it—if you haven't already—consider enabling only SSH on your routers and only allowing access to that from the internal network. SSH encrypts all traffic between a PC and a router (including usernames and passwords).

For the complete command reference on these new features, check out the Cisco IOS Login Enhancements Documentation.

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Editor's Picks