FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lestopace
Staff
Staff
Description This article describes how to configure TTL security policy for BGP.
Scope FortiGate.
Solution

Problem.

Referring to the image below, even though 10.122.2.155 is not a valid eBGP neighbor, 10.1.1.1 still responded SYN-ACK packets to the SYN packet sent by the former.

This opens up the device for CPU-utilization based attacks.

 

lestopace_2-1662776926046.png

 

lestopace_1-1662776715281.png

 

To avoid such vulnerability to be exploited, one method is to use TTL Security Policy.

 

In this example, BGP communication below TTL 253 is not to be expected. However, it is notable that the rogue router has a TTL of 251.

 

Considering the scenario, the following has been configured to mitigate this vulnerability.

 

# config firewall ttl-policy
    edit 0
        set status enable
        set action deny
        set srcintf "any"
        set srcaddr "all"
        set service "BGP"
        set schedule "always"
        set ttl 1-252
    next
end


Results.

10.1.1.1 is not responding to the SYN packets anymore sent by rogue. router.

lestopace_7-1662716666691.png

 

lestopace_4-1662777156154.png

 

lestopace_3-1662777104560.png

 

For more information regarding TTL Security Mechanism, refer to:

https://www.rfc-editor.org/rfc/rfc5082

 

Contributors