The premiere source of truth powering network automation. Open and extensible, trusted by thousands.

NetBox is now available as a managed cloud solution! Stop worrying about your tooling and get back to building networks.

IOS Control Plane Protection for DoS Mitigation

By stretch | Thursday, October 1, 2009 at 8:22 a.m. UTC

IOS control plane protection is an extension of control plane policing (CoPP) introduced in 12.4(4)T which allows an administrator to apply a quality of service (QoS) policy to a router's control plane. The control plane handles all traffic which must be processed by the router in software.

A policy can be applied to the control plane generally, as with legacy CoPP, or it can be applied to one of the three control plane "subinterfaces:"

  • Host - Traffic destined for the router itself (management, routing protocols, etc.)
  • Transit - Software-switched transit traffic
  • CEF exception - Traffic which triggers a CEF exception (ARP, non-IP packets, etc.)

To illustrate the benefits of configuring control plane protection, we can observe what happens when an unprotected router is targeted by a primitive denial of service (DoS) attack. We can initiate a primitive DoS against a router at 10.0.0.1 by initiating a UDP flood:

Attacker$ udp-flood.pl 10.0.0.1 1234 64 0

UDP packets are flooded at or near line rate with the intention of overwhleming the recipient. Since these packets are destined for the router itself, each gets punted from hardware to software prcoessing, consuming expensive CPU and memory resources. With no countermeasures in place, the router's processing power is quickly consumed:

Router# show processes cpu sorted
CPU utilization for five seconds: 100%/28%; one minute: 76%; five minutes: 25%
 PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
  29       85468         295     289722 71.30% 52.46% 16.90%   0 Net Background
   4        2136         118      18101  0.42%  0.35%  0.28%   0 Check heaps
   2          24          50        480  0.08%  0.02%  0.00%   0 Load Meter
  56          12        4131          2  0.08%  0.01%  0.00%   0 Dot11 driver
  80         848         185       4583  0.08%  0.20%  0.07%   0 IP Input
   1           4          11        363  0.00%  0.00%  0.00%   0 Chunk Manager
...

To mitigate this, we can apply control plane protection. A CoPP policy is configured via the modular QoS CLI (MQC) as with any regular QoS policy, and applied akin to a normal interface service policy. To keep things simple, we'll create a policy which just polices inbound UDP traffic to 16 Kbps:

class-map match-all UDP
 match access-group name UDP
!
policy-map CoPP
 class UDP
  police 16000 conform-action transmit exceed-action drop violate-action drop
!
ip access-list extended UDP
 permit udp any any

Finally we apply the service policy to the control plane. In this example, it is applied to the aggregate rather than to a subinterface:

R1(config)# control-plane ?
  cef-exception  Cef-exception traffic control-plane configuration
  host           Host traffic control-plane configuration
  transit        Transit traffic control-plane configuration
  

R1(config)# control-plane
R1(config-cp-host)# service-policy input CoPP
R1(config-cp-host)#
%CP-5-FEATURE: Control-plane Policing feature enabled on Control plane aggregate path

We can relaunch our UDP flood and compare the CPU utilization to what we saw without CoPP:

Router#show processes cpu sorted
CPU utilization for five seconds: 100%/97%; one minute: 53%; five minutes: 32%
 PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
  55       13492        2055       6565  0.32%  0.08%  0.02%   0 COLLECT STAT COU
   1           4          12        333  0.00%  0.00%  0.00%   0 Chunk Manager  
   2         968          83      11662  0.00%  0.00%  0.00%   0 Load Meter     
   4        3932         206      19087  0.00%  0.60%  0.49%   0 Check heaps    
   5           0           1          0  0.00%  0.00%  0.00%   0 Pool Manager   
   6           0           2          0  0.00%  0.00%  0.00%   0 Timers    
...

That's probably not what you expected: CPU utilization actually appears to have gone up! What happened? Before moving any further, let's verify that our CoPP policy is indeed performing as expected:

Router# show policy-map control-plane
 Control Plane

Service-policy input: CoPP

Class-map: UDP (match-all)
      6918133 packets, 733322098 bytes
      5 minute offered rate 16552000 bps, drop rate 16551000 bps
      Match: access-group name UDP
      police:
          cir 16000 bps, bc 1500 bytes, be 1500 bytes
        conformed 1575 packets, 166950 bytes; actions:
          transmit
        exceeded 14 packets, 1484 bytes; actions:
          drop
        violated 6921762 packets, 733706772 bytes; actions:
          drop
        conformed 18000 bps, exceed 0 bps, violate 74591000 bps

Class-map: class-default (match-any)
      2 packets, 120 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Yep, our CoPP policy is policing at merely 16 Kbps inbound, and discarding all other malicious traffic. What gives?

The five-second CPU statistics listed at the beginning of the show processes cpu outputs is composed of two numbers: total utilization and utilization resulting from hardware interrupt requests. In our first report, interrupt utilization accounted for only around 30% of the total CPU utilization, whereas it now accounts for nearly all of it. Conversely, the first report showed the "Net Background" process (responsible for buffer allocation on newer IOS versions) consuming over 70% CPU utilization while the same process's utilization on the second output is negligible (it's not even listed in the top few).

What we've witnessed here is a shift from process-heavy computation to interrupt-heavy computation. Unfortunately, depending on the platform, this can be just as bad. Testing this on an 1811W I noticed that the terminal felt just as sluggish under 100% load with or without CoPP. Fortunately, once the load has been pushed back to the interrupt level, you can adjust the process scheduler allocation to give software processes a little more breathing room.

Scheduler allocation is defined as a proprotion of interrupt run time to process run time; for most platforms, 4000 µsec of interrupt time is allowed for merely 200 µsec of process time (according to the documentation). Older platforms might be limited to the scheduler interval command. Sensible scheduler allocation is a hairy topic in itself, but the permitted ranges offer some idea of the intended ratio:

Router(config)# scheduler allocate ?
  <3000-60000>  Microseconds handling network interrupts
  <cr>

Router(config)# scheduler allocate 8000 ?
  <1000-8000>  Microseconds running processes

Router(config)# scheduler allocate 8000 1000

An allocation of 8000/1000 worked well to put the spring back into the console of my 1800 series while it was being beaten to death with UDP. I have not experimented with the impact of this allocation on actual throughput. Your mileage may vary.

Posted in Quality of Service, Security

Comments

tacack
October 1, 2009 at 8:30 a.m. UTC

Great Article Stretch!

shivlu jain
October 1, 2009 at 12:53 p.m. UTC

Thanks for posting such a great article.

tonhe
October 1, 2009 at 1:54 p.m. UTC

Pretty interesting stuff man. Good work!

mellowd
October 1, 2009 at 4:28 p.m. UTC

Interesting. I've played a bit with CoPP but didn't know this.

Where can you find the defaults for the scheduler for each platform? Also, how does this change affect the regular running of the router in other tasks?

wad
October 1, 2009 at 7:26 p.m. UTC

very useful and interesting article as your usual man and your site is very perfect after changes Thanks for your value information.

Roland Dobbins
October 2, 2009 at 1:35 a.m. UTC

CoPP & CoPr are pretty much a wash on software-based platforms, as all T-train routers are - you've just one CPU in the box, and there's little in the way of order-of-operations processing benefits to be gained.

CoPP (and CoPr, if it's ever ported) on hardware-based platforms makes much more sense, as you're now offloading the classification and evalution from the route processor to specialized hardware.

But I wouldn't bother with it on software-based routers - iACLs, uRPF, vty ACLs, and SNMP ACLs get you the most bang for the buck on those smaller boxes.

ron
October 2, 2009 at 10:06 p.m. UTC

I use CoPP on my 871's. CoPP also standardizes management-plane access lists across multiple routers, so they are not everywhere (vty, console, iACL). I permit the traffic on both exceed and violate actions for the policy-maps.

Roy Waterman
December 1, 2009 at 5:28 p.m. UTC

Hi Jeremy

My knowledge of control plane protection is somewhat limited, but it looks like you've configured CoPP (control plane policing) rather than control plane protection.

Your config shows: R1(config)# control-plane

As you didnt specify one of the subinterfaces, it looks like you have applied the service policy to the aggregate control plane interface.

Did you mean to configure the following?

R1(config)# control-plane host

Again, I am still in process of learning copp so I may well be incorrect.

stretch
December 1, 2009 at 6:07 p.m. UTC

@Roy: There's no practical difference in the terms. Cisco renamed control plane policing as control plane protection to better convey its potential defensive posturing.

Ellion
November 16, 2010 at 11:05 a.m. UTC

i have trouble with this udp flood (torrents) can i do something like CoPP on catalyst3560 with IOS 12.2(25)SEE1 C3560-ADVIPSERVICESK ?

Brandon
December 11, 2015 at 6:13 p.m. UTC

@Ellion -

You can apply similar policy to your VLANs on the 3560. For example, in the configuration context of "interface vlan 1" you have the option to apply a "service-policy" in the same manner he has applied one to the "control-plane."

I hope this helps!

Comments have closed for this article due to its age.