Technical Tip: Configuring TTL Security Policy for...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 223304

Description

This article describes how to configure TTL security policy for BGP.

Scope

FortiGate.

Solution

Problem.

Referring to the image below, even though 10.122.2.155 is not a valid eBGP neighbor, 10.1.1.1 still responded SYN-ACK packets to the SYN packet sent by the former.

This opens up the device for CPU-utilization based attacks.

To avoid such vulnerability to be exploited, one method is to use TTL Security Policy.

In this example, BGP communication below TTL 253 is not to be expected. However, it is notable that the rogue router has a TTL of 251.

Considering the scenario, the following has been configured to mitigate this vulnerability.

# config firewall ttl-policy
edit 0
set status enable
set action deny
set srcintf "any"
set srcaddr "all"
set service "BGP"
set schedule "always"
set ttl 1-252
next
end

Results.

10.1.1.1 is not responding to the SYN packets anymore sent by rogue. router.

For more information regarding TTL Security Mechanism, refer to:

https://www.rfc-editor.org/rfc/rfc5082

1832

Contributors

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: Configuring TTL Security Policy for BGP

You are leaving our website