Detections
Analytics
JUNI-RT-000820 - The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources - protocols pim
Information
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.Solution
Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources.[edit policy-options policy-statement MULTICAST_REGISTER_POLICY]
set term BAD_SOURCES from source-address-filter x.x.x.x/32 exact
set term BAD_SOURCES from source-address-filter x.x.x.x/24 orlonger
set term BAD_GROUPS from route-filter 224.1.1.0/24 orlonger
set term BAD_GROUPS from route-filter 225.1.2.3/32 exact
set term BAD_GROUPS from route-filter 239.0.0.0/8 orlonger
set term BAD_GROUPS then reject
set term ALLOW_OTHER then accept
[edit protocols pim rp]
set rp-register-policy MULTICAST_REGISTER_POLICY
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y25M01_STIG.zip
Item Details
Audit Name: DISA STIG Juniper Router RTR v3r2
Category: ACCESS CONTROL
References: 800-53|AC-4, CAT|III, CCI|CCI-001414, Rule-ID|SV-217086r604135_rule, STIG-ID|JUNI-RT-000820, STIG-Legacy|SV-101165, STIG-Legacy|V-90955, Vuln-ID|V-217086
Plugin: Juniper
Control ID: f11c73c570d43b56c3b396b37d97e0ae6c988afae0bf6e42746a0ce731910c6f