Detections
Analytics
JUNI-RT-000830 - The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Juniper router (DR) for any undesirable multicast groups - protocols pim
Information
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups and sources.Solution
RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block join messages for any undesirable multicast groups.Step 1: Configure a multicast join policy to filter bad groups and sources as shown in the example below:
[edit policy-options policy-statement MULTICAST_JOIN_POLICY]
set term BAD_GROUPS from route-filter 224.1.1.0/24 orlonger
set term BAD_GROUPS from route-filter 225.1.2.3/32 exact
...
...
...
set term BAD_GROUPS then reject
set term ALLOW_OTHER then accept
Step 2: Configure PIM to enable the join policy as shown in the example below:
[edit protocols pim]
set import MULTICAST_JOIN_POLICY
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y25M01_STIG.zip
Item Details
Audit Name: DISA STIG Juniper Router RTR v3r2
Category: ACCESS CONTROL
References: 800-53|AC-4, CAT|III, CCI|CCI-001414, Rule-ID|SV-217087r604135_rule, STIG-ID|JUNI-RT-000830, STIG-Legacy|SV-101167, STIG-Legacy|V-90957, Vuln-ID|V-217087
Plugin: Juniper
Control ID: 9a48742726ecc5fb1292a4184f8b3b6ee09e5c3cd2d58ae6b57e17aa48cf9764