© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Network Foundation Protection Securing the Data Plane

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router# show processes cpu CPU utilization for five seconds: 99%/85%; one minute: 99%; five minutes: 78% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process % 0.00% 0.00% 0 Chunk Manager % 0.03% 0.02% 0 Load Meter % 0.09% 0.03% 0 Exec % 0.06% 0.06% 0 Check heaps % 0.00% 0.00% 0 Pool Manager % 0.00% 0.00% 0 Timers % 0.00% 0.00% 0 OIR Handler % 0.00% 0.00% 0 Environmental mo % 0.00% 0.00% 0 Crash writer % 0.00% 0.00% 0 ARP Input Data Plane Attacks Slammer System Under Attack

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Data Plane Protection ACLs –FPM uRPF –For antispoofing mitigation QoS –Class-based policing

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Flexible Packet Matching Slammer System Under Attack PHDF + Custom Filters Filter Match Alert! Attacker Administrator

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v IP Header Options and Padding Destination IP Address Source IP Address Header ChecksumProtocolTTL Fraqment OffsetFlagsIdentification Total LengthTOSIHL Version IP Header

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring FPM Load a PHDF –For header field matching Create a traffic class –Define a protocol stack and specify exact parameters to match –Using class map type stack and access-control Create a traffic policy –Define a service policy Apply the service policy to an interface

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v PHDFs and Class Map router(config)# load protocol flash:ip.phdf router(config)# load protocol flash:udp.phdf router(config)# class-map type stack match-all ip-udp router(config-cmap)# description match UDP over IP packets router(config-cmap)# match field ip protocol eq 0x11 next udp router(config-cmap)# exit router(config)# class-map type access-control match-all slammer router(config-cmap)# description match on slammer packets router(config-cmap)# match field udp dest-port eq 0x59A router(config-cmap)# match field ip length eq 0x194 router(config-cmap)# match start l3-start offset 224 size 4 eq 0x

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Traffic Policies router(config)# policy-map type access-control fpm-udp-policy router(config-pmap)# description policy for UDP based attacks router(config-pmap)# class slammer router(config-pmap-c)# drop router(config-pmap-c)# exit router(config-pmap)# exit router(config)# policy-map type access-control fpm-policy router(config-pmap)# description drop worms and malicious attacks router(config-pmap)# class ip-udp router(config-pmap-c)# service-policy fpm-udp-policy router(config-pmap-c)# exit router(config-pmap)# exit

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Applying a Service Policy to an Interface router(config)# interface FastEthernet 0/1 router(config-if)# service-policy type access-control input fpm-policy System Under Attack Attacker Fa0/1

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show protocols phdf Command router# show protocols phdf ip Protocol ID: 1 Protocol name: IP Description: Definition-for-the-IP-protocol Original file name: disk2:ip.phdf Header length: 20 Constraint(s): Total number of fields: 12 Field id: 0, version, IP-version Fixed offset. offset 0 Constant length. Length: 4 Field id: 1, ihl, IP-Header-Length Fixed offset. offset 4 Constant length. Length: 4 Field id: 2, tos, IP-Type-of-Service Fixed offset. offset 8 Constant length. Length: 8 Field id: 3, length, IP-Total-Length Fixed offset. offset 16 Constant length. Length: 16 Field id: 4, identification, IP-Identification Fixed offset. offset 32

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show protocols phdf Command (Cont.) Constant length. Length: 16 Field id: 5, flags, IP-Fragmentation-Flags Fixed offset. offset 48 Constant length. Length: 3 Field id: 6, fragment-offset, IP-Fragmentation-Offset Fixed offset. offset 51 Constant length. Length: 13 Field id: 7, ttl, Definition-for-the-IP-TTL Fixed offset. offset 64 Constant length. Length: 8 Field id: 8, protocol, IP-Protocol Fixed offset. offset 72 Constant length. Length: 8 Field id: 9, checksum, IP-Header-Checksum Fixed offset. offset 80 Constant length. Length: 16 Field id: 10, source-addr, IP-Source-Address Fixed offset. offset 96 Constant length. Length: 32 Field id: 11, dest-addr, IP-Destination-Address Fixed offset. offset 128 Constant length. Length: 32

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show flash:*.phdf Command R1# show flash: -#- --length date/time path Jun :23:30 -06:00 ip.phdf Jun :23:44 -06:00 tcp.phdf Mar :33:30 -06:00 sdmconfig-18xx.cfg Mar :34:04 -06:00 sdm.tar Mar :34:26 -06:00 es.tar Mar :34:50 -06:00 common.tar Mar :35:08 -06:00 home.shtml Mar :35:26 -06:00 home.tar Mar :35:50 -06:00 128MB.sdf May :04:20 -06:00 c1841-advsecurityk9-mz T1. bin Jun :24:02 -06:00 udp.phdf Jun :24:32 -06:00 icmp.phdf Jun :24:44 -06:00 ether.phdf bytes available ( bytes used)

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show class-map type Command router# show class-map type stack Class Map type stack match-all ip-udp (id 4) Description: match UDP over IP packets Match field IP protocol eq 0x11 next UDP router# show class-map type access-control Class Map type access-control match-all slammer (id 5) Description: match on slammer packets Match field UDP dest-port eq 0x59A Match field IP length eq 0x194 Match start l3-start offset 224 size 4 eq 0x

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show policy-map Command router# show policy-map type access-control Policy Map type access-control fpm-udp-policy Description: policy for UDP based attacks Class slammer drop Policy Map type access-control fpm-policy Description: drop worms and malicious attacks Class ip-udp service-policy fpm-udp-policy

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show policy-map Command (Cont.) router# show policy-map type access-control interface FastEthernet 0/1 FastEthernet0/1 Service-policy access-control input: fpm-policy Class-map: ip-udp (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: field IP version eq 4 Match: field IP ihl eq 5 Match: field IP protocol eq 0x11 next UDP Service-policy access-control : fpm-udp-policy Class-map: slammer (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: field UDP dest-port eq 0x59A Match: field IP length eq 0x194 Match: start l3-start offset 224 size 4 eq 0x Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Troubleshooting FPM router# debug fpm event *Jun 21 09:22:21.607: policy-classification-inline(): matches class: class-default *Jun 21 09:22:21.607: packet-access-control(): policy-map: fpm-policy, dir: input, match. retval: 0x0, ip-flags: 0x

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary There have been many well-known attacks that have affected the data plane of infrastructure devices. There are several tools used to secure the data plane. FPM is one tool used to protect the data forwarding plane. There are several steps used to configure FPM. There are several show commands used to verify FPM. Use debug commands are used to troubleshoot FPM.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v