Configuring GTSM for RIP

Generalized TTL Security Mechanism (GTSM) defends against attacks by checking the TTL value.

Context

During network attacks, attackers may simulate RIP packets and continuously send them to a router. If the packets are destined for the router, it directly forwards them to the control plane for processing without validating them. As a result, the increased processing workload on the control plane results in high CPU usage. Generalized TTL Security Mechanism (GTSM) defends against attacks by checking whether the time to live (TTL) value in each IP packet header is within a pre-defined range.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run rip valid-ttl-hops valid-ttl-hops-value [ vpn-instance vpn-instance-name ]

    GTSM is configured for RIP.

    The valid TTL range of the detected packets is [ 255 -valid-ttl-hops-value + 1, 255 ].

  3. Run commit

    The configuration is committed.

  4. Set the default action for packets that do not match the GTSM policy.

    GTSM only checks the TTL values of packets that match the GTSM policy. Packets that do not match the GTSM policy can be allowed or dropped.

    You can enable the log function to record packet drop for troubleshooting.

    Perform the following configurations on the GTSM-enabled router:

    1. Run system-view

      The system view is displayed.

    2. Run gtsm default-action { drop | pass }

      The default action for packets that do not match the GTSM policy is configured.

      If the default action is configured but no GTSM policy is configured, GTSM does not take effect.

      This command is supported only on the Admin-VS and cannot be configured in other VSs. This command takes effect on all VSs.

    3. Run commit

      The configuration is committed.

Parent Topic: Improving RIP Network Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >