Stop Your Network from Being Used as a Broadcast Amplification Site To ensure that your network can not be used as a Broadcast Amplification Site to flood other networks with DoS attacks such as the "smurf" attack. The no ip directed-broadcast command is the default in Cisco IOS software version 12.0 and later. For earlier versions you will need to set "no ip directed-broadcast" on each interface on the router that has an ip address. To find out the interfaces use "the show ip interface brief" command. Then you will go to each interface and issue the "no ip directed-broadcast" command. router# configure terminal router(config)# interface Ethernet0 router(config-if)# no ip directed-broadcast router(config-if)# interface Serial0.1 router(config-subif)# no ip directed-broadcast router(config-subif)#^Z router# write Test your network to determine if it is an amplification site To test your network to see if it is acting as an amplification site you can use the "ping" command to send and ICMP Echo Request packet to the Broadcast IP Address of your network(s). First you will need to determine your Broadcast IP Address. If you do not know what this is you can use any of the following commands to find out. Note that you will need to determine all of the Broadcast IP Addresses in use on your network(s), so you may need to do this on multiple systems. Once you have determined your Broadcast IP Address(es) you will need to test them using the "ping" command to send and ICMP Echo Request packet from a network external to the one you are testing. For example if you are testing your corporate or enterprise network(s) you could log into an external dial-up ISP account. External Tests: http://www.powertech.no/smurf/ Summary: To protect against a "smurf" attack use the following comand: no ip directed-broadcast -------------------------------------------------------------------------------- Other easy security measures are: no service tcp-small-server no service udp-small-server There are various ports that are normally open on a Cisco Router that can be easily turned off to further lock down the router. These ports are as follows: echo (TCP and UDP) - port 7 chargen (TCP and UDP) - port 19 daytime (TCP only) - port 13 discard (TCP and UDP) - port 9 finger - port 79 bootp - port 67/68 These can be turned off by the commands: no service tcp-small-servers no service udp-small-servers no service finger no ip bootp server -------------------------------------------------------------------------------- Securing Cisco Routers http://www.informit.com/articles/article.asp?p=102180&seqNum=1 Securing Routers by Disabling Unused Router Services and Interfaces On Cisco routers, a whole bunch of services come enabled by default. As a network security expert, your first order of operation would be to ensure that the unused services are disabled. bootp bootp is enabled by default, and if you are not using it, you should definitely disable it. You can use the no ip bootp server command in global configuration mode to disable bootp on your routers: router(config)# no ip bootp server CDP Cisco Discovery Protocol (CDP) is also enabled by default, and we highly recommend that you disable this service on the router globally. You can disable CDP globally by using the no cdp run command in global configuration mode, or you can disable CDP on a per-interface basis by using the no cdp enable command in interface configuration mode: router(config)#no cdp run router(config-if)#no cdp enable CAUTION: The no cdp run command disables CDP globally on the routers. ip classless The ip classless command is enabled on the Cisco routers by default in version 12.0 and higher. Disable ip classless if your network does not have a subnetted range of IP addresses. If you are subnetting a block of IP address allocated to you by the American Registry for Internet Numbers (ARIN), you should ensure that ip classless is enabled. You can learn more about ARIN by going to http://www.arin.net. It allows the router to advertise the subnetted addresses to its neighbors: router(config)#no ip classless DNS Domain Name System (DNS) lookup is enabled by default on Cisco routers, and if you are not implementing DNS lookup on your network, it is highly advisable to disable this feature globally by using the no ip domain-lookup command: router(config)#no ip domain-lookup finger The finger command is enabled by default and can be used to see what users are logged on to the network device. The finger command has been documented in RFC 742, and you should globally disable the finger command on network devices: router(config)#no ip finger CAUTION: The no service finger command has been replaced by the no ip finger command. HTTP Cisco routers can be accessed via a Web page, and unless you are implementing authentication proxy, we highly recommend that you turn off the HTTP service running on the router. You can use the no ip http server command to disable it. If you want to implement HTTP-based management, we recommend that you implement HTTP authentication and limit the HTTP connections to the router using ACLs. ip mask-reply By default, the ip mask-reply command is disabled on all Cisco routers. The mask replies respond to Internet Control Message Protocol (ICMP) mask requests by sending out ICMP mask replies, and these mask replies contain important network information. If mask replies are enabled, make sure you disable them on the router by using the no ip mask-reply command in interface configuration mode: router(config-if)#no ip mask-reply IP-Directed Broadcast The IP-directed broadcast is another service that is commonly used in Smurf attacks. Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network. By default on IOS version 12.0 and higher, ip directed broadcast is disabled, and if you are running any version lower than 12.0, it is imperative that you disable IP directed broadcasts on the router by issuing the following command in interface configuration mode: router(config-if)#no ip directed-broadcast CAUTION: Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network. IP Source Routing IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint. By default, IP source routing is disabled on the routers and should only be enabled if your network needs call for it. The following command disables IP source routing on the router globally: router(config)#no ip source-route CAUTION: IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint. IP Unreachable IP unreachable messages can be used to map out the network topology, and they should be disabled on all interfaces. You can disable IP unreachables on all interfaces by issuing the following command in interface configuration mode: router(config-if)#no ip unreachables CAUTION: IP unreachables should be disabled on all interfaces connected to insecure networks. Small Servers Cisco classifies echo, chargen, daytime, and discard as small services and recommends that these services be disabled on the router. By default, on versions 11.3 or higher, the small server service is disabled by default.