STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.

DISA Rule

SV-217060r639663_rule

Vulnerability Number

V-217060

Group Title

SRG-NET-000362-RTR-000117

Rule Version

JUNI-RT-000540

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure the router to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks as shown in the example below.

[edit protocols bgp group GROUP_AS4]
set family inet unicast prefix-limit maximum nnnnn teardown

Check Contents

Review the router configuration to verify that the number of received prefixes from each eBGP neighbor is controlled.

protocols {
bgp {
group GROUP_AS4 {
type external;
family inet {
unicast {
prefix-limit {
maximum 10;
teardown;
}
}
} peer-as 4;
neighbor x.x.x.x;
}

If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.

Vulnerability Number

V-217060

Documentable

False

Rule Version

JUNI-RT-000540

Severity Override Guidance

Review the router configuration to verify that the number of received prefixes from each eBGP neighbor is controlled.

protocols {
bgp {
group GROUP_AS4 {
type external;
family inet {
unicast {
prefix-limit {
maximum 10;
teardown;
}
}
} peer-as 4;
neighbor x.x.x.x;
}

If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.

Check Content Reference

M

Target Key

4032

Comments