The Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-216650	SRG-NET-000362-RTR-000110	CISC-RT-000120	SV-216650r1050897_rule	2024-11-25	3

Description
The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages. A DoS attack targeting the RP can result in excessive CPU and memory utilization. To maintain network stability and RP security, the router must be able to handle specific control plane and management plane traffic that is destined to the RP. In the past, one method of filtering was to use ingress filters on forwarding interfaces to filter both forwarding path and receiving path traffic, as well as limiting traffic destined to the device. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grows. Control plane policing increases the security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks, allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.

Description

The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages. A DoS attack targeting the RP can result in excessive CPU and memory utilization. To maintain network stability and RP security, the router must be able to handle specific control plane and management plane traffic that is destined to the RP. In the past, one method of filtering was to use ingress filters on forwarding interfaces to filter both forwarding path and receiving path traffic, as well as limiting traffic destined to the device. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grows. Control plane policing increases the security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks, allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.

ℹ️ Check
Review the Cisco router configuration to verify it is compliant with this requirement. Step 1: To verify that the CoPP policy map has been saved, issue the "show running-config" command in privileged EXEC mode and verify the following line exists in the output. policy-map system-cpp-policy Step 2: To view the policy map and verify the correct policer rates are set according to organization-defined standards, run the following command. show policy-map control-plane Note: Starting from Cisco IOS XE Fuji 16.8.1a, the creation of user-defined class-maps is not supported. One can only enable/disable a CPU queue or change the policer rate of a CPU queue. If the Cisco router is not configured to protect against known types of DoS attacks by employing organization-defined security safeguards, this is a finding.

ℹ️ Check

Review the Cisco router configuration to verify it is compliant with this requirement. Step 1: To verify that the CoPP policy map has been saved, issue the "show running-config" command in privileged EXEC mode and verify the following line exists in the output. policy-map system-cpp-policy Step 2: To view the policy map and verify the correct policer rates are set according to organization-defined standards, run the following command. show policy-map control-plane Note: Starting from Cisco IOS XE Fuji 16.8.1a, the creation of user-defined class-maps is not supported. One can only enable/disable a CPU queue or change the policer rate of a CPU queue. If the Cisco router is not configured to protect against known types of DoS attacks by employing organization-defined security safeguards, this is a finding.

✔️ Fix
Configure the Cisco router to protect against known types of DoS attacks on the route processor. Step 1: Configure the default policer rates for all control plane CPU queues and save the configuration. Device> enable Device# configure terminal Device(config)# cpp system-default Defaulting CPP : Policer rate for all classes will be set to their defaults Device(config)# end Device# copy running-configuration startup-configuration Step 2: View the policy map and verify the correct policer rates are set according to organization-defined standards. show policy-map control-plane Step 3: Change any policer rates to match the organization-defined standards. Note: Starting from Cisco IOS XE Fuji 16.8.1a, the creation of user-defined class-maps is not supported. One can only enable/disable a CPU queue or change the policer rate of a CPU queue.

✔️ Fix

Configure the Cisco router to protect against known types of DoS attacks on the route processor. Step 1: Configure the default policer rates for all control plane CPU queues and save the configuration. Device> enable Device# configure terminal Device(config)# cpp system-default Defaulting CPP : Policer rate for all classes will be set to their defaults Device(config)# end Device# copy running-configuration startup-configuration Step 2: View the policy map and verify the correct policer rates are set according to organization-defined standards. show policy-map control-plane Step 3: Change any policer rates to match the organization-defined standards. Note: Starting from Cisco IOS XE Fuji 16.8.1a, the creation of user-defined class-maps is not supported. One can only enable/disable a CPU queue or change the policer rate of a CPU queue.