The Generalized TTL Security Mechanism (GTSM) is designed to protect devices against CPU utilization-based attacks by checking whether the time to live (TTL) value in the IP header is within a specified range.
The attack of "valid packets" on the network makes the device overloaded and consumes the device resources, such as the CPU. For example, an attacker keeps sending packets to the device by simulating BGP packets. After receiving these packets, the device finds that it is the destination of these packets. Then, the forwarding plane directly sends the packets to the control plane for BGP processing without checking the validity of the packets. The device busies itself with processing these "valid" packets and the its CPU is thus highly occupied.
Th GTSM protects the services above the IP layer against attacks by checking whether the TTL value in the IP header is within a pre-defined range. In applications, the GTSM is mainly used to protect the TCP/IP-based control plane including the routing protocols against attacks of the CPU-utilization type, such as CPU overload.
When configuring GTSM, note the following precautions:
The GTSM supports only unicast addresses; therefore, the GTSM must be configured on all the routers configured with routing protocols.
When being configured in the BGP view, the GTSM is also applicable to MP-BGP VPNv4 extensions because they use the same TCP connection.
The GTSM and EBGP-MAX-HOP functions both affect the TTL values of sent BGP packets and they conflict with each other. Thus, for a peer or a peer group, you can use only either of them.
GTSM does not support tunnel-based neighbors. For example, an IP packet that carries a BGP packet is transmitted through a tunnel. When the IP packet reaches the peer end of the tunnel, the tunnel protocol parses the IP packet. The TTL value in the IP packet cannot reflect the number of forwarding hops; therefore, the GTSM cannot be applied.
A device that is enabled with GTSM checks the TTL values in all protocol packets. As required by the actual networking, packets whose TTL values are not within the specified range are discarded. If GTSM is not configured, the received protocol packets are forwarded if the neighbor configuration is matched. Otherwise, the received protocol packets are discarded. This prevents bogus protocol packets from consuming CPU resources.