Lab 135 - BGP TTL Security

Prerequisites: CCNP level skills.

Note!

I have created a pdf document with OSPF Lab 1 and 2 containing a detailed lab breakdown. Check it out if want. Any feedback is most welcome.

http://www.4shared.com/document/W8lhDzNo/Hacking-Cisco-OSPF-Lab1-2-Brea.html

Topology

Pic. 1 - Topology Diagram.

Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task 1

AS 50 has been experiencing a SYN attack on TCP port 179 (BGP). In order to protect the router, configure R5 so that it accepts BGP packets only from its directly connected neighbor.

Solution

Task 1

AS 50 has been experiencing a SYN attack on TCP port 179 (BGP). In order to protect the router, configure R5 so that it accepts BGP packets only from its directly connected neighbor.
Notice!
These attacks must have their TTL higher than 1 in order to reach AS 50. Due to the volatile behavior of BGP paths, the attacker will find it very difficult or almost impossible to calculate their TTL value to be 1 when delivered to our router. The configuration must be done on both neighbors (R3 and R5).

R3 Configuration:

!

router bgp 123
 no synchronization
 bgp router-id 172.16.103.3
 bgp log-neighbor-changes
 network 172.16.103.0 mask 255.255.255.0
 neighbor 10.1.13.1 remote-as 123
 neighbor 10.1.13.1 route-reflector-client
 neighbor 10.1.13.1 next-hop-self
 neighbor 10.1.23.2 remote-as 123
 neighbor 10.1.23.2 route-reflector-client
 neighbor 10.1.23.2 next-hop-self
 neighbor 10.1.35.5 remote-as 50
 neighbor 10.1.35.5 ttl-security hops 1
 no auto-summary

!

R5 Configuration:

!

router bgp 50
 no synchronization
 bgp router-id 172.16.105.5
 bgp log-neighbor-changes
 network 172.16.105.0 mask 255.255.255.0
 neighbor 10.1.35.3 remote-as 123
 neighbor 10.1.35.3 ttl-security hops 1
 no auto-summary

!

Verification:

Pic. 2 - BGP Details on R3.

Pic. 3 - BGP Details on R5.