07-09-2019 09:17 AM
Hi everyone, we are recently configuring an ASR9010 router. But yesterday I am noticing a strange behavior.
Example: load a lot when entering by telnet.
When reviewing with the show log command I see the following attempts:
RP/0/RSP1/CPU0:Jul 8 09:47:28.302 : exec[65867]: %SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user '<unknown>' from '45.170.220.38' on 'vty0'
RP/0/RSP1/CPU0:Jul 8 09:47:29.899 : exec[65867]: %SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user '<unknown>' from '45.170.220.38' on 'vty0'
RP/0/RSP1/CPU0:Jul 8 09:47:31.968 : exec[65867]: %SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user '<unknown>' from '45.170.220.38' on 'vty0'
RP/0/RSP1/CPU0:Jul 8 09:47:32.470 : exec[65867]: %MGBL-exec-3-LOGIN_AUTHEN : Login Authentication failed. Exiting...
I imagine that they must be DoS attacks. For that reason I thought about blocking them with an ACL but it is not working well for me.
conf
ipv4 access-list resistance
deny ipv4 host 218.92.0.207 any
deny ipv4 host 168.243.48.13 any
deny ipv4 host 45.170.177.125 any
deny ipv4 host 45.170.129.14 any
deny ipv4 host 218.92.0.207 any
deny ipv4 host 80.90.90.25 any
deny ipv4 host 5.55.28.70 any
deny ipv4 host 5.75.17.236 any
deny ipv4 host 70.45.128.75 any
deny ipv4 host 98.148.247.23 any
deny ipv4 45.170.220.0 0.0.0.255 any
deny ipv4 45.170.221.0 0.0.0.255 any
deny ipv4 45.170.222.0 0.0.0.255 any
deny ipv4 45.170.223.0 0.0.0.255 any
permit icmp any host 192.168.1.1 (example IP )
permit icmp any host 192.168.1.1 (example IP )
permit ipv4 any any
Entered the interface:
IPv4 access-group nameACL egress
They could help me know if those logs are from a DoS attack.
Best regards,
Viinicio
Solved! Go to Solution.
07-10-2019 01:27 AM
It's better to use the 'native' IOS XR method for management plane protection. See
07-10-2019 01:27 AM
It's better to use the 'native' IOS XR method for management plane protection. See
07-10-2019 10:05 AM
Dear Aleksandar Vidakovic ,
Thanks a lot for your help.
Now checking i see that the version is: Cisco IOS XR Software, Version 5.3.4
knowing the iOS version could work even if the version of my iOS is inferior to the one in the guide.
Thaks,
Viniicio.
07-11-2019 08:11 AM
There were no changes in management plane protection commands in recent IOS XR releases. You can also check the same configuration guide for your release of choice. I just took the latest and greatest.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide