4.3 Disabling Unused Services

A router can run many services that are neither needed nor desired. It is a good idea to disable those services. It is often not advertised that these services are running, so it is a good idea to check your router vendor's website, and read through your documentation to determine if there are unnecessary services running.

Cisco, for example, up until version 12.0 of IOS, ^[5] enabled a group of diagnostic services: echo, chargen, and discard for both UDP and TCP connections. An attacker can use these services to launch a DoS attack against the router.

^[5] IOS is Internet Operating System. It is the operating system that runs on all Cisco routers and many of the Cisco switches.

These services can be remotely accessed. Each time the service is accessed a little bit of CPU time is used. If enough requests are made, the router will become overwhelmed and no longer be able to respond to requests , or crash entirely.

These services are generally not used in enterprise networks; if you do not use them it is wise to disable them:

 gw1(config)#no service tcp-small-servers  gw1(config)#no service udp-small-servers 

Other services to watch out for, such as Finger, DHCP, and router-specific protocols that you may not be using should be disabled:

 gw1(config)#no service finger  gw1(config)#no service dhcp  gw1(config)#no cdp run 

CDP is the Cisco Discovery Protocol, a Cisco proprietary service that allows Cisco devices to find and communicate with each other. CDP works on Layer 2; routers and switches use the protocol to share configuration information, and Cisco CallManager can use the information to update management programs, such as Cisco Works, with the latest data from the network devices.

CDP has been the target of attacks in the past. Because it operates strictly at the Layer 2 level, it does not have the error-checking capabilities of some of the higher level protocols, making it more vulnerable to attack.

One exploit common with older versions of IOS is to spoof CDP packets from another device on the network. The spoofed packets need to have random device identifiers, have the maximum expiration time set (255 seconds), and have the maximum CDP packet size (1,480 bytes). The router will attempt to write these large packets to memory, eventually filling up the buffer, which will cause the router to crash and reboot, or simply stop routing.

Fortunately, because you cannot ARP Layer 2 packets over the WAN, in order for someone to run an exploit like this they have to be on your network.

Every router vendor has services similar to CDP that ease the configuration process but can also leave large, possibly exploitable, security holes within a network. It is a good idea to review each vendor's website periodically to find out what current best practices in router security they recommend.