C H A P T E R
26-1
Cisco 10000 Series Router Software Configuration Guide
OL-2226-23
26
Protecting the Router from DoS Attacks
Internet service providers (ISPs) and other Cisco customers face increasing Denial of Service (DoS)
attacks associated with IP options set in the IP header of packets. Cisco IOS routers use the Route
Processor (RP) to process IP options packets, which can become problematic during a DoS attack. To
protect the router, the Cisco 10000 series router supports the dropping of packets with IP options.
This chapter discusses the following topics:
•
IP Options Selective Drop, page 26-1
•
Restrictions for IP Options Selective Drop, page 26-2
•
How to Configure IP Options Selective Drop, page 26-2
•
Configuration Examples for IP Options Selective Drop, page 26-3
•
Related Documentation, page 26-4
IP Options Selective Drop
The IP Options Selective Drop feature enables you to protect your network routers in the event of a
denial of service (DoS) attack. Hackers who initiate such attacks commonly send large streams of
packets with IP options. By dropping the packets with IP options, you can reduce the load of IP options
packets on the router. The end result is a reduction in the effects of the DoS attack on the router and on
downstream routers.
Internet service providers (ISPs) and other Cisco customers face increasing DoS attacks associated with
IP options set in the IP header. Cisco IOS routers are susceptible to DoS attacks because of the way in
which the routers process IP options. The hardware-based forwarding engine of Cisco IOS routers
cannot handle IP options; therefore, the forwarding engine forwards the IP options packets to the route
processor (RP). Similarly, most of the line cards forward IP option packets to the RP. The software-based
RP processes the packets and performs the extra processing that the IP options packets require.
Processing IP options packets in the RP can become problematic. Software-switching of IP options
packets can lead to a serious security problem if a Cisco IOS router comes under a DoS attack by a hacker
sending large streams of packets with IP options. The RP can easily become overloaded and drop high
priority or routing protocol packets. Switching packets in software slows down the switching speed of
the router and increases the router’s vulnerability to resource saturation. Some types of IP options, such
as the Router Alert option, can be especially harmful to the router when forwarded to the RP.
By default, Cisco IOS software processes packets with IP options, as required by RFC 1812,
Requirements for IP Version 4 Routers
. The IP Options Selective Drop feature provides the ability to
drop packets with IP options in the forwarding engine so that they are not forwarded to the RP. This result
in a minimized load on the RP and reduced RP processing requirements.