Ttl Security For Ldp - Alcatel-Lucent 7450 Manual

Label Distribution Protocol

TTL Security for LDP

The TTL Security Hack (BTSH) was originally designed to protect the infrastructure from CPU
utilization-based attacks. It is derived from the fact that the vast majority of ISP eBGP peerings
are established between adjacent routers. Since TTL spoofing is considered nearly impossible, a
mechanism based on an expected TTL value can provide a simple and reasonably robust defense
from infrastructure attacks based on forged packets.
While TTL Security Hack (TSH) is most effective in protecting directly connected peers, it can
also provide a lower level of protection to multi-hop sessions. When a multi-hop BGP session is
required, the expected TTL value can be set to 255 minus the configured range-of-hops. This
approach can provide a qualitatively lower degree of security (such as a DoS attack could,
theoretically, be launched by compromising a box in the path). However, BTSH will catch a vast
majority of observed distributed DoS (DDoS) attacks.
TSH can be used to protect LDP peering sessions as well. For details, see draft-chen-ldp-ttl-xx.txt,
TTL-Based Security Option for LDP Hello Message.
The TSH implementation supports the ability to configure TTL security per LDP peer and
evaluate (in hardware) the incoming TTL value against the configured TTL value. If the incoming
TTL value is less than the configured TTL value, the packets are discarded and a log is generated.
7450 ESS MPLS Guide Page 533