A DOS dictionary attack on a router can allow an attacker to gain access to the Cisco router or may cause the user to be unable to use the router. In this article, you can find out how to use the enhanced login capabilities of the Cisco network operating system to prevent this attack.
You may not have realized that using a dictionary denial of service (DoS) attack against a telnet, SSH, or HTTP port could successfully attack your Cisco router. In fact, I bet that even if most network administrators don't have all these ports open, he will at least open one of the ports for router management.
Of course, opening these ports in a public network is more dangerous than opening these ports in a private network. However, whether it's open to public networks or open to private networks, you need to protect your router against a dictionary Dos attack in which an attacker may gain access to the router or create a simple service outlet on your network.
However, you can provide additional protection for your router because of the enhanced login capabilities in the network operating system 12.3 (4) T and later versions. These new enhanced landing features offer the following advantages:
After discovering a continuous login attempt, create a landing delay.
If too many landing attempts fail, they will no longer be allowed to log in.
Create appropriate login information in the system log or send SNMP traps to warn and log additional information about failures and disallowed landings.
How do you know if your router contains these codes? The simplest way to find it is to "global Configuration mode" and enter "Login", which will return a select list, as shown below:
block-for--is used to set the quiet mode activity time period.
delay--is used to set the time interval for consecutive failed landings.
on-failure--is used to set options after the failed attempt to log in.
on-sucess--is used to set the options after a successful login attempt.
quiet-mode--the option to set quiet mode.
If the network operating system in your router does not have this code, it will return an "unrecognized command" error.
If you do not have this feature in your router, use the features of the Cisco network operating system to navigate your router to find this feature (refer to the Cisco network operating system for enhanced login) You can also use this tool to find other features you need. Remember that downloading the network operating system code and accessing the feature navigation tool requires Cisco's maintenance contract.
The command for the most basic base table for configuring these features is the login Block-for command, which is also the only command. Once you activate this command, its default login delay time is one second. The system will reject all login attempts if the maximum number of times you attempt to log in exceeds the number of times you have given in the time you specify.
In global configuration mode, execute the following command:
Login block-for (Reject all login attempts for how long)
Attempts (if more than this number of landings) within (within a few seconds)
An example is given below
Login Block-for attempts 5 within 60
This command configures the system as follows: If there are five unsuccessful landings within 60 seconds, the router system will reject all landings within 120 seconds. If you enter show login at this time, you will receive the following output information:
By default, the login delay time is one second.
No Quiet mode access list is configured.
The router activates the login attack monitoring program.
If there are five unsuccessful landings in about 60 seconds,
The system will disable login operation for 120 seconds.
The router is currently in normal mode.
The current monitoring window still has 54 seconds.
The current number of landing failures is 0.
This information shows your settings, including the default login delay time of one second, and additional information. It also tells you that the current router is in normal mode, which means that the router currently allows you to log in.
If the router thinks someone is attacking it, it goes into quiet mode and starts rejecting all login operations. You can also configure an ACL that shows which hosts and network exceptions this router is allowing, whether in quiet mode or otherwise, to allow these hosts and the network to log on to the router.
The following are some of the options for configuring the system in these commands:
Landing delay (number): The number of seconds to increase delay after a failed login. You can select any number between 1 and 10.
Login failure and Login success: These options allow you to choose the type of log and SNMP warning to use when landing successfully or unsuccessfully.
Logon Quiet mode access class (ACL number): Increase ACL number, use this option to add an isolation list, whether the router is in quiet mode or in normal mode, the list of hosts and networks can log on to the router.
Normally, for security purposes, I recommend that you activate the login block-for option on all routers. These new features will help you better secure your router.
If you are doing this job and you are not ready, consider using SSH only on the router and allowing access only from the intranet. SSH encrypts all communication information (including username and password) from the PC to the router.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
