Chapter24 Security Audit
Fix It Page
24-8
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
This fix can be undone. To learn how, click Undoing Security Audit Fixes.
Disable UDP Small Servers Service
Security Audit disables small services whenever possible. By default, Cisco
devices running Cisco IOS version 11.3 or earlier offer the “small services”: echo,
chargen, and discard. (Small services are disabled by default in Cisco IOS
software version12.0 and later.) These services, especially their UDP versions,
are infrequently used for legitimate purposes, but they can be use d to launch DoS
and other attacks that would otherwise be prevented by packet filtering.
For example, an attacker might send a DNS packet, falsifying the source address
to be a DNS server that would otherwise be unreachable, and falsifying t he source
port to be the DNS service port (port 53). If such a packet were sent to the router’s
UDP echo port, the result would be the router sending a DNS packet to the server
in question. No outgoing access list checks would be applied to this packet, since
it would be considered to be locally generated by the router itself.
Although most abuses of the small services can be avoided or made less dangerous
by anti-spoofing access lists, the services should almost always be disabled in any
router which is part of a firewall or lies in a security-critical part of the network.
Since the services are rarely used, the best policy is usually to disable them on all
routers of any description.
The configuration that will be delivered to the router to disable UDP small servers
is as follows:
no service udp-small-servers
Disable IP BOOTP Server Service
Security Audit disables the Bootstrap Protocol (BOOTP) service whenever
possible. BOOTP allows both routers and computers to automatically configure
necessary Internet information from a centrally maintained server upon startup,
including downloading Cisco IOS software. As a result, BOOTP can potentially
be used by an attacker to download a copy of a router’s Cisco IOS software.
In addition, the BOOTP service is vulnerable to DoS attacks; therefore it should
be disabled or filtered via a firewall for this reason as well.