Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lestopace
Staff
Staff

Created on ‎10-02-2022 11:14 AM

Article Id 223304

Technical Tip: Configuring TTL Security Policy for BGP

Description This article describes how to configure TTL security policy for BGP.
Scope FortiGate.
Solution

Problem.

Referring to the image below, even though 10.122.2.155 is not a valid eBGP neighbor, 10.1.1.1 still responded SYN-ACK packets to the SYN packet sent by the former.

This opens up the device for CPU-utilization based attacks.

 

lestopace_2-1662776926046.png

 

lestopace_1-1662776715281.png

 

To avoid such vulnerability to be exploited, one method is to use TTL Security Policy.

 

In this example, BGP communication below TTL 253 is not to be expected. However, it is notable that the rogue router has a TTL of 251.

 

Considering the scenario, the following has been configured to mitigate this vulnerability.

 

# config firewall ttl-policy
    edit 0
        set status enable
        set action deny
        set srcintf "any"
        set srcaddr "all"
        set service "BGP"
        set schedule "always"
        set ttl 1-252
    next
end


Results.

10.1.1.1 is not responding to the SYN packets anymore sent by rogue. router.

lestopace_7-1662716666691.png

 

lestopace_4-1662777156154.png

 

lestopace_3-1662777104560.png

 

For more information regarding TTL Security Mechanism, refer to:

https://www.rfc-editor.org/rfc/rfc5082

 

1158
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.