Skip to content

The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).

An XCCDF Rule

Description

<VulnDiscussion>As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-216991r856208_rule
Severity
Low
References
Updated



Remediation - Manual Procedure

Configure TTL security on all external BGP neighbors as shown in the example below.

R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 ttl-security hops 1
R1(config-router)#neighbor x.2.1.7 ttl-security hops 1