Detections
Analytics
CISC-RT-000470 - The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).
Information
As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers.GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.
Solution
Configure TTL security on all external BGP neighbors as shown in the example below:R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 ttl-security hops 1
R1(config-router)#neighbor x.2.1.7 ttl-security hops 1
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Router_Y26M01_STIG.zip
Item Details
Audit Name: DISA Cisco IOS XE Router RTR STIG v3r5
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-216999r855842_rule, STIG-ID|CISC-RT-000470, STIG-Legacy|SV-106081, STIG-Legacy|V-96943, Vuln-ID|V-216999
Plugin: Cisco
Control ID: ba56322e10c881225bafcf985a478b77b56ef1bb7fa869d2a54b9a1335218b2f