thierolf.org - Vom Hirn ins Terminal seit 1998.

Login-Block (DoS and Dict-Attack Protection) in Cisco IOS

Written by Stefan on . Modified on . Posted in Blog. Tags: #cisco  #network  #security 

1. Introduction

Cisco offers a method to protect against DoS (Denial-of-Service) and Dictionary attacks for IOS devices. This feature is described in detail at Chapter: Cisco IOS Login Enhancements-Login Block. If a DoS or Dictionary attack happens, the switch or router is creating an Access Control List called sl_def_acl which blocks during the defined time period the protocols TELNET, HTTP and SSH.

2. Check Login-Block configuration

By default Login-Block is disabled and can be verified with the command show login.


    #show login
       No login delay has been applied.
       No Quiet-Mode access list has been configured.

       Router NOT enabled to watch for login Attacks

To test the behavior of the disabled Login-Block, I’m going to attack the switch with a password cracking tool called Hydra. In this case I’m using a simple wordlist with default passwords for a couple of routers. This wordlist contains 51 passwords and therefore Hydra runs all 51 login attacks.

Hydra Attack when Login-Block is disabled

The logging output of the switch shows therefore all connection attempts by SSH and the failed user and password logins.

Output of Hydra Attack when Login-Block is disabled

3. Configure Access Control List with Management IP

Because the Login-Block Access Control List sl_def_acl is dropping during the attack all connection attempts and therefore no administrative access is possible. To avoid this problem, an Access Control List with Management IP addresses must be applied. This Access Control List might look like this and is applied to login quiet-mode:


    #conf t
      ip access-list extended LOGIN_ACCESS
        permit ip host [IP_OF_MGMT_HOST] any
        permit ip host [IP_OF_MGMT_HOST] any
        permit ip host [IP_OF_MGMT_HOST] any
      !

4. Configure Login-Block

The following commands configure the Login-Block for 60 seconds, 5 attempts within 10 seconds. Failed and successful logins should be logged and the Access Control List for the Management IP addresses is applied:


    #conf t
      ! 60 seconds / 5 attempts / 10 seconds
      login block-for 60 attempts 5 within 10
      login delay 1
      login on-failure log
      login on-success log
      login quiet-mode access-class LOGIN_ACCESS

A show login command shows that Login-Block is now active.


    #show login
      A login delay of 1 seconds is applied.
      Quiet-Mode access list LOGIN_ACCESS is applied.
      All successful login is logged.
      All failed login is logged.

      Router enabled to watch for login Attacks.
      If more than 5 login failures occur in 10 seconds or less,
      logins will be disabled for 60 seconds.

      Router presently in Normal-Mode.
      Current Watch Window remaining time 4 seconds.
      Present login failure count 0.

5. Testing Login-Block

Again I’m using Hydra for a dictionary attack but this time the attack tool stops with an error:

Hydra Attack when Login-Block is enabled

The logging output of the switch shows now that Login-Block and the Quiet-Mode with the Access Control List with the Management IP is active. Also the failed login attempts stopped after 5 failures (5 attempts defined).

Output of Hydra Attack when Login-Block is enabled

During the attack, the command show login now shows that the device is in Quiet-Mode.


    #show login
      A login delay of 1 seconds is applied.
      Quiet-Mode access list LOGIN_ACCESS is applied.
      All successful login is logged.
      All failed login is logged.

      Router enabled to watch for login Attacks.
      If more than 5 login failures occur in 10 seconds or less,
      logins will be disabled for 60 seconds.

      Router presently in Quiet-Mode.
      Will remain in Quiet-Mode for 53 seconds.
      Restricted logins filtered by applied ACL LOGIN_ACCESS.

Conclusion: Quick and cheap solution to prevent DoS and Dictionary Attacks on Cisco switches and routers.