Blog

IP and Mobile Trends and Education

 

Protect the Control Plane – part 1, trivial attack.

Author:


02.05.2016

How many of you use the control plane protection features given by vendor with the benefit of inventory? From what I see mostly, is very very rare practice to use CoPP. Most of network people haven’t even heard of it. “Because my network performs well, why should I protect control plane?” I need to start with few words about what control plane (CP) is. CP is the area of device logic responsible for taking decisions, process protocols (routing, switching), responds to requests (i.e. icmp echo reply), shortly CP is like brain of the device (you can also think of CP as CPU – in some reason this makes sense). As now it is becoming clear, we have something important to loose when CP is not properly protected. I will give you quick example. Having high end well known platform Catalyst 6509 of Cisco as stable core of network and any other device / pc which can generate icmp packets, I will shou you how quickly the core can become weak and unstable.

Let’s craft ICMP packet by sending large PING (ICMP echo 8 0) (attack similar to “Ping of Death” some say)

Dev1# ping 10.197.255.1 repeat 10000 time 1 size 12000

Observe then our high end platform CPU usage:

CORE1#sh processes cpu history

Protect the Control Plane

Just look at that, we cause the CORE platform to utilize the CPU up to 97% sending only 12000 size PING packet. Now you can imagine what if the CORE would handle multiple BGP sessions, OSPF sessions or perform other CPU related functions simultaneously?

Note! In the next article, namely “Protect the Control Plane – part 2, CoPP.” I’m showing how to quickly prevent the cause of potential network and services damage.

Author

Marcin Bialy

Marcin Biały is Network and Security Architect with over 10 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CSSI, FCNSP, FCNSA and more.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code


 

Newsletter