STIGQter STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.

DISA Rule

SV-216694r531086_rule

Vulnerability Number

V-216694

Group Title

SRG-NET-000362-RTR-000117

Rule Version

CISC-RT-000560

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the router to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks as shown in the example below:

R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 maximum-prefix nnnnnnn
R1(config-router)#neighbor x.2.1.7 maximum-prefix nnnnnnn

Check Contents

Review the router configuration to verify that the number of received prefixes from each eBGP neighbor is controlled.

router bgp xx
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 maximum-prefix nnnnnnn
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 maximum-prefix nnnnnnn

If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.

Vulnerability Number

V-216694

Documentable

False

Rule Version

CISC-RT-000560

Severity Override Guidance

Review the router configuration to verify that the number of received prefixes from each eBGP neighbor is controlled.

router bgp xx
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 maximum-prefix nnnnnnn
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 maximum-prefix nnnnnnn

If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix de-aggregation attacks, this is a finding.

Check Content Reference

M

Target Key

4028

Comments