TTL Security for LDP
Page 56 7450 ESS System Mangement Guide
TTL Security for LDP
The TTL Security Hack (BTSH) was originally designed to protect the infrastructure from
CPU utilization-based attacks. It is derived on the fact that the vast majority of ISP eBGP
peerings are established between adjacent routers. Since TTL spoofing cannot be performed, a
mechanism based on an expected TTL value can provide a simple and reasonably robust
defense from infrastructure attacks based on forged BGPpackets.
While TSH is most effective in protecting directly connected peers, it can also provide a lower
level of protection to multi-hop sessions. When a multi-hop BGP session is required, the
expected TTL value can be set to 255 minus the configured range-of-hops. This approach can
provide a qualitatively lower degree of security (for example, a DoS attack could,
theoretically, be launched by compromising a box in the path). However, BTSH will catch a
vast majority of observed distributed DoS (DDoS) attacks.
TSH can be used to protect LDP peering sessions as well. For details, see draft-chen-ldp-ttl-
xx.txt, TTL-Based Security Option for LDP Hello Message.
The TSH implementation supports the ability to configure TTL security per BGP/LDP peer
and evaluate (in hardware) the incoming TTL value against the configured TTL value. If the
incoming TTL value is less than the configured TTL value, the packets are discarded and a log
is generated.
To Next Page
Loading...
