Detections
Analytics
JUEX-RT-000090 - The Juniper router configured for MSDP must limit the amount of source-active messages it accepts on per-peer basis.
Information
To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.Solution
Configure the MSDP router to limit the amount of source-active messages it accepts from each peer.set protocols msdp active-source-limit maximum <1..1000000>
set protocols msdp active-source-limit threshold <1..1000000>
set protocols msdp active-source-limit log-warning <percent to log warning>
<additional configuration>
set protocols msdp peer <address> active-source-limit maximum <1..1000000>
set protocols msdp peer <address> active-source-limit threshold <1..1000000>
set protocols msdp peer <address> active-source-limit log-warning <percent to log warning>
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y26M01_STIG.zip
Item Details
Audit Name: DISA Juniper EX Series Router v2r1
Category: ACCESS CONTROL
References: 800-53|AC-4, CAT|III, CCI|CCI-001368, Rule-ID|SV-253981r843976_rule, STIG-ID|JUEX-RT-000090, Vuln-ID|V-253981
Plugin: Juniper
Control ID: 939b13e694b6be3669d2fba2cc4f7a1a5acb78e36e3e48cbafe33da230e4f722