The router must ensure all eBGP routers are configured to use Generalized TTL Security Mechanism (GTSM).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000191-RTR-000081 | SRG-NET-000191-RTR-000081 | SRG-NET-000191-RTR-000081_rule | Medium |
| Description |
|---|
| As described in RFC 3682, the GTSM is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all eBGP-speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the eBGP peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic. |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000191-RTR-000081_chk ) |
|---|
| Review the router configuration and ensure that the neighbor command TTL-security is configured for all eBGP peering sessions. If the router does not have the neighbor command TTL-security configured for all eBGP peering sessions, this is a finding. |
| Fix Text (F-SRG-NET-000191-RTR-000081_fix) |
|---|
| Configure all eBGP routers to use GTSM to mitigate risks associated with a control plane DoS attack. |