Information About Login Enhancements-Login Block
Login Enhancements-Login Block Overview
The Login Enhancements (Login Block) feature allows users to enhance the security of a device by configuring options to automatically block further login attempts when a possible denial-of-service (DoS) attack is detected.
The login block and login delay options introduced by this feature can be configured for Telnet or SSH virtual connections. By enabling this feature, you can slow down “dictionary attacks” by enforcing a “quiet period” if multiple failed connection attempts are detected, thereby protecting the routing device from a type of denial-of-service attack.
Protecting Against Denial of Service and Dictionary Login Attacks
Connecting to a device for the purposes of administering (managing) the device, at either the User or Executive level, is most frequently performed using Telnet or SSH (secure shell) from a remote console (such as a PC). SSH provides a more secure connection option because communication traffic between the user’s device and the managed device are encrypted. The Login Block capability, when enabled, applies to both Telnet connections and SSH connections. Beginning in Release versions 12.3(33)SRB2, 12.2(33)SXH2, and 12.4(15)T1, the Login Block capability also applies to HTTP connections.”
The automated activation and logging of the Login Block and Quiet Period capabilities introduced by this feature are designed to further enhance the security of your devices by specifically addressing two well known methods that individuals use to attempt to disrupt or compromise network devices.
If the connection address of a device is discovered and is reachable, a malicious user may attempt to interfere with the normal operations of the device by flooding it with connection requests. This type of attack is referred to as an attempted Denial-of-Service, because it is possible that the device may become too busy trying to process the repeated login connection attempts to properly handle normal routing services or are not able to provide the normal login service to legitimate system administrators.
The primary intention of a dictionary attack, unlike a typical DoS attack, is to actually gain administrative access to the device. A dictionary attack is an automated process to attempt to login by attempting thousands, or even millions, of username/password combinations. (This type of attack is called a “dictionary attack” because it typically uses, as a start, every word found in a typical dictionary as a possible password.) As scripts or programs are used to attempt this access, the profile for such attempts is typically the same as for DoS attempts; multiple login attempts in a short period of time.
By enabling a detection profile, the device can be configured to react to repeated failed login attempts by refusing further connection request (login blocking). This block can be configured for a period of time, called a “quiet period”. Legitimate connection attempts can still be permitted during a quiet period by configuring an access-list (ACL) with the addresses that you know to be associated with system administrators.
Delays Between Successive Login Attempts
A device can accept virtual connections as fast as they can be processed. Introducing a delay between login attempts helps to protect the device against malicious login connections such as dictionary attacks and DoS attacks. Delays can be enabled in one of the following ways:
-
Through the auto secure command. If you enable the AutoSecure feature, the default login delay time of one second is automatically enforced.
-
Through the login block-for command. You must enter this command before issuing the login delay command. If you enter only the login block-for command, the default login delay time of one second is automatically enforced.
-
Through the global configuration mode command, login delay , which allows you to specify login delay time to be enforced, in seconds.
Login Shutdown If DoS Attacks Are Suspected
If the configured number of connection attempts fail within a specified time period, the device does not accept any additional connections for a “quiet period.” (Hosts that are permitted by a predefined access-control list [ACL] are excluded from the quiet period.)
The number of failed connection attempts that trigger the quiet period can be specified through the new global configuration mode command login block-for . The predefined ACL that is excluded from the quiet period can be specified through the new global configuration mode command login quiet-mode access-class .
This functionality is disabled by default, and it is not enabled if AutoSecure if enabled.