UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The router must ensure all Exterior Border Gateway Protocol (eBGP) routers are configured to use Generalized TTL Security Mechanism (GTSM).


Overview

Finding ID Version Rule ID IA Controls Severity
V-55769 SRG-NET-000191-RTR-000081 SV-70023r1_rule Medium
Description
As described in RFC 3682, Generalized TTL Security Mechanism (GTSM) is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.
STIG Date
Router Security Requirements Guide 2014-11-18

Details

Check Text ( C-56335r1_chk )
Review the router configuration; if it is not configured to use Generalized TTL Security Mechanism (GTSM) for all Exterior Border Gateway Protocol peering sessions, this is a finding.
Fix Text (F-60639r1_fix)
Configure all Exterior Border Gateway Protocol peering sessions to use Generalized TTL Security Mechanism (GTSM).