CCIE Security V4 Technology Labs  Section 1:

System Hardening and Availability


Control Plane Policing
Last updated: May 3, 2013

Task
Load the starting configuration files for this task.
Using Control Plane Policing, prevent R3 from being flooded with UDP DoS attack packets.
UDP packets should be limited to 16 Kbps.
Other traffic to the router should be left unimpeded.

Explanation and Verification

The router itself is susceptible to attack when UDP packets are flooded at or near line rate with the
intention of overwhelming the recipient. If these packets are destined for the router itself, each
packet gets punted from hardware to software processing. This consumes expensive CPU and
memory resources.

You can begin this task by getting a baseline. Look at the CPU on R3 with nothing happening in the
network.
 R3#sh proc
R3#sh processes cpu sorted
CPU utilization for five seconds: 1%/0%; one minute: 1%; five minutes: 1%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
114 8 296567 0 0.55% 0.54% 0.54% 0 Ethernet Msec Ti

12 24 33 727 0.23% 0.03% 0.00% 0 Exec

138 16 74435 0 0.15% 0.11% 0.10% 0 IPAM Manager

66 8 2392 3 0.07% 0.02% 0.00% 0 Per-Second Jobs

284 4 72684 0 0.07% 0.06% 0.07% 0 MMON MENG

142 176 659 267 0.07% 0.04% 0.01% 0 IP Input

6 3248 349 9306 0.00% 0.12% 0.11% 0 Check heaps

7 0 1 0 0.00% 0.00% 0.00% 0 Pool Manager

8 0 1 0 0.00% 0.00% 0.00% 0 DiscardQ Backgro

10 4 80 50 0.00% 0.00% 0.00% 0 WATCH_AFS

Next, on the Test PC, launch a UDP attack against R3's IP address using UDP unicorn.
Now look at the CPU again.
 R3#
R3#sh processes cpu sorted
CPU utilization for five seconds: 87%/29%; one minute: 65%; five minutes: 25%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
142 80924 7339 11026 55.95% 41.62% 15.64% 0 IP Input

6 3868 407 9503 0.95% 0.21% 0.13% 0 Check heaps

114 2420 330309 7 0.47% 0.56% 0.55% 0 Ethernet Msec Ti

48 340 3971 85 0.31% 0.18% 0.07% 0 Net Background

138 552 83649 6 0.15% 0.12% 0.11% 0 IPAM Manager

301 24 2706 8 0.07% 0.00% 0.00% 0 Crypto Device Up

284 380 82542 4 0.07% 0.08% 0.07% 0 MMON MENG

185 4 50 80 0.07% 0.00% 0.00% 0 IP Background

9 0 2 0 0.00% 0.00% 0.00% 0 Timers

10 4 81 49 0.00% 0.00% 0.00% 0 WATCH_AFS

8 0 1 0 0.00% 0.00% 0.00% 0 DiscardQ Backgro

As you can see, with the little flood we have done the CPU has increased substantially. Now we
can deploy the policing requirements.

Control-plane policing is done using the same type of command set as the MQC, that of class-map,
policy-map, and service-policy. Create the required elements and apply them to the control-plane,
as shown below.
 R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip access-l extended UDP-Floods
R3(config-ext-nacl)#permit udp any any
R3(config-ext-nacl)#exit
R3(config)#class-map match-all UDP
R3(config-cmap)#match access-group name UDP-Floods
R3(config-cmap)#
R3(config-cmap)#policy-map 1.8
R3(config-pmap)#class UDP
R3(config-pmap-c)#police 16000 conform-action transmit exceed-action drop
R3(config-pmap-c-police)#exit
R3(config-pmap-c)#
R3(config-pmap-c)#control-plane
R3(config-cp)#serv
R3(config-cp)#service-policy input 1.8
R3(config-cp)#end
R3#

Look at the service-policy to see how it's applied.

R3#show policy-map control-plane

Control Plane

Service-policy input: 1.8

Class-map: UDP (match-all)

3 packets, 417 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name UDP-Floods
police:
cir 16000 bps, bc 1500 bytes
conformed 3 packets, 417 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)

5 packets, 444 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R3#
Relaunch the attack and check the service-policy again.

R3#show policy-map control-plane

Control Plane

Service-policy input: 1.8

Class-map: UDP (match-all)

45984 packets, 67450959 bytes
5 minute offered rate 1522000 bps, drop rate 1521000 bps
Match: access-group name UDP-Floods
police:
cir 16000 bps, bc 1500 bytes
conformed 25 packets, 21664 bytes; actions:
transmit
exceeded 45959 packets, 67429295 bytes; actions:
drop
conformed 5000 bps, exceed 12843000 bps

Class-map: class-default (match-any)

10 packets, 896 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

As you can see, the policy is being matched. Now look at the CPU again.
 R3#sh processes cpu sorted
CPU utilization for five seconds: 56%/56%; one minute: 11%; five minutes: 10%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
114 4860 385470 12 3.67% 1.16% 0.68% 0 Ethernet Msec Ti

138 1008 97289 10 0.79% 0.23% 0.14% 0 IPAM Manager

284 660 96315 6 0.31% 0.13% 0.09% 0 MMON MENG

113 300 20670 14 0.23% 0.05% 0.00% 0 Ethernet Timer C

153 148 3056 48 0.15% 0.02% 0.00% 0 OSPF-1 Router

307 124 15726 7 0.15% 0.03% 0.00% 0 Atheros LED Ctro

18 56 3072 18 0.15% 0.01% 0.00% 0 IPC Deferred Por

12 308 536 574 0.15% 0.06% 0.02% 0 Exec

226 84 6019 13 0.07% 0.00% 0.00% 0 CCE DP URLF cach

79 252 12355 20 0.07% 0.02% 0.00% 0 Netclock Backgro

43 52 3085 16 0.07% 0.00% 0.00% 0 GraphIt

As you can see, the flood is kept at bay by the policer.