Problem.

Referring to the image below, even though 10.122.2.155 is not a valid eBGP neighbor, 10.1.1.1 still responded with SYN-ACK packets to the SYN packet sent by the former.

This opens up the device for CPU-utilization-based attacks.

To avoid such vulnerability from being exploited, one method is to use the TTL Security Policy.

In this example, BGP communication below TTL 253 is not to be expected. However, it is notable that the rogue router has a TTL of 251.

Considering the scenario, the following has been configured to mitigate this vulnerability.

config firewall ttl-policy
    edit 0
        set status enable
        set action deny
        set srcintf "any"
        set srcaddr "all"
        set service "BGP"
        set schedule "always"
        set ttl 1-252
    next
end

Results.

10.1.1.1 is not responding to the SYN packets anymore sent by the rogue router.

Note: The 'ttl-policy' is not used for forwarding traffic. The 'ttl-policy' only applied to the local-in traffic, whose destination IP is FortiGate itself.

For more information regarding the TTL Security Mechanism, refer to:

https://www.rfc-editor.org/rfc/rfc5082