CCIE Security V4 Technology Labs Section 1:

System Hardening and Availability

BGP TTL Security Hack

Last updated: May 3, 2013

Task
AS-65523 is experiencing a large number of DoS attacks on TCP port 179. Configure R1 and R3 for
BGP TTL Security Hack to prevent spoofing.

Explanation and Verification

The BGP TTL Security Hack (BTSH) is designed to protect the BGP (RFC1771) infrastructure from
CPU-utilization based attacks.
In Cisco IOS, the following is default behavior:
Any IP TTL value greater than or equal to 1 is considered valid per RFC 791 and accepted by the
router.
When sending packets, Cisco IOS uses a default IP TTL value of 1 for locally sourced eBGP
packets.
This means that an attacker can inject packets into the BGP stream from a distance, and the TTL
is valid as long as it's a value of 1 more more. Typically, network and router security policies will
permit eBGP protocol packets from valid peers using only TCP port and sequence number
verification and optionally an MD5 authentication. This can prevent a remote attacker from injecting
spoofed eBGP protocol packets into the session. The problem that still remains is that the receiving
router does not know whether the packet traveled one hop or many.
With GTSM enabled on both sides of the eBGP session, the way IOS handles IP TTL values for
eBGP packets is modified in the following ways:
IOS will transmit locally sourced eBGP packets with an IP TTL of 255.
IOS will only accept eBGP packets with an IP TTL value equal to or greater than 255, minus the
configured hop count for the associated eBGP peering session which is generally 1 for directly
connected eBGP peers.
This means that with GTSM enabled, eBGP only accepts packets having an IP TTL of 254.
Because remote attackers cannot spoof an IP TTL of 254, they cannot inject spoofed packets into
the session.
GTSM sets the TTL for outgoing packets to 255. For incoming packets, GTSM expects to see a
TTL >= 255-n, where n is a configured value. This means that the feature is mutually exclusive with
the eBGP MultiHop feature because eBGP sessions by default set the TTL to 1 in the outgoing

packets and with the eBGP MultiHop feature it sets it to a configured value.
Therefore, when using the command neighbor IP_ADDR ttl-security hops 2, the minimal
acceptable TTL will be 253.
The configuration for this is fairly simple and must be done on both sides of the BGP neighbor
relationship. Begin on R3.

R3:

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router bgp 65523
R3(config-router)# neighbor 136.1.13.1 ttl-security hops 1
R3(config-router)#end
R3#

R1:

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router bgp 65343
R1(config-router)#neighbor 136.1.13.3 ttl-security hops 1
R1(config-router)#end
R1#

We can verify the configuration on each side.

R1:

R1#sh ip bgp neigh | in neighbor

BGP neighbor is 136.1.13.3, remote AS 65523, external link
BGP table version 1, neighbor version 1/0
External BGP neighbor may be up to 1 hop away.
R1#

R3:

R3#show ip bgp neighbor 136.1.13.1 | in neighbor

BGP neighbor is 136.1.13.1, remote AS 65343, external link
BGP table version 1, neighbor version 1/0
External BGP neighbor may be up to 1 hop away.
R3#