Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The router must ensure all eBGP routers are configured to use Generalized TTL Security Mechanism (GTSM).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000191-RTR-000081 | SRG-NET-000191-RTR-000081 | SRG-NET-000191-RTR-000081_rule | Medium |
| Description |
|---|
| As described in RFC 3682, the GTSM is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all eBGP-speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the eBGP peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic. |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000191-RTR-000081_chk ) |
|---|
| Review the router configuration and ensure that the neighbor command TTL-security is configured for all eBGP peering sessions. If the router does not have the neighbor command TTL-security configured for all eBGP peering sessions, this is a finding. |
| Fix Text (F-SRG-NET-000191-RTR-000081_fix) |
|---|
| Configure all eBGP routers to use GTSM to mitigate risks associated with a control plane DoS attack. |