JUEX-RT-000090 - The Juniper router configured for MSDP must limit the amount of source-active messages it accepts on per-peer basis.

Information

To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.

Solution

Configure the MSDP router to limit the amount of source-active messages it accepts from each peer.

set protocols msdp active-source-limit maximum <1..1000000>
set protocols msdp active-source-limit threshold <1..1000000>
set protocols msdp active-source-limit log-warning <percent to log warning>
<additional configuration>
set protocols msdp peer <address> active-source-limit maximum <1..1000000>
set protocols msdp peer <address> active-source-limit threshold <1..1000000>
set protocols msdp peer <address> active-source-limit log-warning <percent to log warning>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|III, CCI|CCI-001368, Rule-ID|SV-253981r843976_rule, STIG-ID|JUEX-RT-000090, Vuln-ID|V-253981

Plugin: Juniper

Control ID: 939b13e694b6be3669d2fba2cc4f7a1a5acb78e36e3e48cbafe33da230e4f722