BGP sessions are vulnerable to off-path TCP attacks because the protocol runs directly over TCP port 179. An attacker who can spoof the peer’s IP address can send crafted TCP SYN packets, forcing the FortiGate to respond with SYN-ACKs and consume CPU resources.

Referring to the image below, even though 10.122.2.155 is not a valid eBGP neighbor, 10.1.1.1 still responded with SYN-ACK packets to the SYN packet sent by the former.

This opens up the device for CPU-utilization-based attacks.

To avoid such vulnerability from being exploited, one method is to use the TTL Security Policy.

The Generalized TTL Security Mechanisms (GTSM), defined in RFC 5082 (also known as BGP TTL Security Hack), mitigate this by checking the TTL value of incoming BGP packets. Legitimate directly-connected eBGP peers send packets with TTL = 255. Multi-hop eBGP peers send with a predictable lower value. Any packet arriving with a TTL below the expected minimum can be silently dropped.

In this example, BGP communication below TTL 253 is not to be expected. However, it is notable that the rogue router has a TTL of 251.

Considering the scenario, the following has been configured to mitigate this vulnerability.

config firewall ttl-policy
    edit 0
        set status enable
        set action deny
        set srcintf "any"
        set srcaddr "all"
        set service "BGP"
        set schedule "always"
        set ttl 1-252
    next
end

Results.

10.1.1.1 is not responding to the SYN packets anymore sent by the rogue router.

Note: The 'ttl-policy' is not used for forwarding traffic. The 'ttl-policy' only applied to the local-in traffic, whose destination IP is FortiGate itself.

For more information regarding the TTL Security Mechanism, refer to:

RFC5082