Connecting to a routing device for the purposes of administering (managing) the device, at either the User or Executive level,
is most frequently performed using Telnet or SSH (secure shell) from a remote console (such as a PC). SSH provides a more
secure connection option because communication traffic between the user’s device and the managed device are encrypted. The
Login Block capability, when enabled, applies to both Telnet connections and SSH connections. Beginning in Release versions
12.3(33)SRB2, 12.2(33)SXH2, and 12.4(15)T1, the Login Block capability also applies to HTTP connections.”
The automated activation and logging of the Login Block and Quiet Period capabilities introduced by this feature are designed
to further enhance the security of your devices by specifically addressing two well known methods that individuals use to
attempt to disrupt or compromise network devices.
If the connection address of a device is discovered and is reachable, a malicious user may attempt to interfere with the normal
operations of the device by flooding it with connection requests. This type of attack is referred to as an attempted Denial-of-Service,
because it is possible that the device may become too busy trying to process the repeated login connection attempts to properly
handle normal routing services or are not able to provide the normal login service to legitimate system administrators.
The primary intention of a dictionary attack, unlike a typical DoS attack, is to actually gain administrative access to the
device. A dictionary attack is an automated process to attempt to login by attempting thousands, or even millions, of username/password
combinations. (This type of attack is called a “dictionary attack” because it typically uses, as a start, every word found
in a typical dictionary as a possible password.) As scripts or programs are used to attempt this access, the profile for such
attempts is typically the same as for DoS attempts; multiple login attempts in a short period of time.
By enabling a detection profile, the routing device can be configured to react to repeated failed login attempts by refusing
further connection request (login blocking). This block can be configured for a period of time, called a “quiet period”. Legitimate
connection attempts can still be permitted during a quiet period by configuring an access-list (ACL) with the addresses that
you know to be associated with system administrators.