From Juniper Router RTR Security Technical Implementation Guide
Part of SRG-NET-000191-RTR-000081
Associated with: CCI-002385
As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers.
Verify that a filter has been configured to only allow BGP packets with a TTL of 255 as shown in the example below. firewall { … … … filter GTSM_FILTER { term TTL_SECURITY { from { protocol tcp; ttl-except 255; port bgp; } then { syslog; discard; } } term ELSE_ACCEPT { then accept; } } } Verify that the filter is applied to all interfaces connecting to eBGP peers. interfaces { … … … ge-0/0/0 { unit 0 { family inet { filter { input-list [INBOUND_FILTER GTSM_FILTER]; } address x.x.x.x/30; } } } } Configure the router to send all BGP packets with a TTL of 255 as shown in the example below. If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.
Configure a filter to only accept bgp packets with a TTL of 255 as shown in the example below. [edit firewall] set filter GTSM_FILTER term TTL_SECURITY from protocol tcp port bgp ttl-except 255 set filter GTSM_FILTER term TTL_SECURITY then syslog discard set filter GTSM_FILTER term ELSE_ACCEPT then accept Apply the firewall filter to the inbound interface for all eBGP single-hop peer as shown in the example below. [edit interfaces ge-0/0/0 unit 0 family inet] set filter input-list INBOUND_FILTER set filter input-list GTSM_FILTER
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer