Check: CISC-RT-000470
Cisco IOS XE Router RTR STIG:
CISC-RT-000470
(in versions v2 r9 through v1 r1)
Title
The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM). (Cat III impact)
Discussion
As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.
Check Content
Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below: router bgp xx no synchronization bgp log-neighbor-changes neighbor x.1.1.9 remote-as yy neighbor x.1.1.9 password xxxxxxxx neighbor x.1.1.9 ttl-security hops 1 neighbor x.2.1.7 remote-as zz neighbor x.2.1.7 password xxxxxxxx neighbor x.2.1.7 ttl-security hops 1 If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.
Fix Text
Configure TTL security on all external BGP neighbors as shown in the example below: R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 ttl-security hops 1 R1(config-router)#neighbor x.2.1.7 ttl-security hops 1
Additional Identifiers
Rule ID: SV-216999r855842_rule
Vulnerability ID: V-216999
Group Title: SRG-NET-000362-RTR-000124
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
SC-5 |
Denial Of Service Protection |