STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.

DISA Rule

SV-216784r531087_rule

Vulnerability Number

V-216784

Group Title

SRG-NET-000362-RTR-000117

Rule Version

CISC-RT-000560

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure the router to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks as shown in the example below.

RP/0/0/CPU0:R2(config)#router bgp xx
RP/0/0/CPU0:R2(config-bgp)#neighbor x1.24.4
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#maximum-prefix 444 discard-extra-paths
RP/0/0/CPU0:R2(config-bgp-nbr-af)#end

Check Contents

Review the router configuration to verify that the number of received prefixes from each eBGP neighbor is controlled.

router bgp xx
address-family ipv4 unicast
!
neighbor x.1.23.3
remote-as yy
ttl-security
address-family ipv4 unicast
route-policy BGP_FILTER in
maximum-prefix nnnn 75 discard-extra-paths
!
!
neighbor x.1.24.4
remote-as zz
address-family ipv4 unicast
route-policy BGP_FILTER in
maximum-prefix nnnn 75 discard-extra-paths
!
!
!
If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.

Vulnerability Number

V-216784

Documentable

False

Rule Version

CISC-RT-000560

Severity Override Guidance

Review the router configuration to verify that the number of received prefixes from each eBGP neighbor is controlled.

router bgp xx
address-family ipv4 unicast
!
neighbor x.1.23.3
remote-as yy
ttl-security
address-family ipv4 unicast
route-policy BGP_FILTER in
maximum-prefix nnnn 75 discard-extra-paths
!
!
neighbor x.1.24.4
remote-as zz
address-family ipv4 unicast
route-policy BGP_FILTER in
maximum-prefix nnnn 75 discard-extra-paths
!
!
!
If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.

Check Content Reference

M

Target Key

4029

Comments