Detections
Analytics

JUNI-RT-000480 - The Juniper BGP router must be configured to reject inbound route advertisements for any Bogon prefixes - prefix-list

Information

Accepting route advertisements for Bogon prefixes can result in the local autonomous system (AS) becoming a transit for malicious traffic as it will in turn advertise these prefixes to neighbor autonomous systems.

Solution

Configure the router to reject inbound route advertisements for any Bogon prefixes.

Configure a prefix list containing the current Bogon prefixes as shown below.

[edit policy-options]
set prefix-list BOGON_PREFIXES 0.0.0.0/8
set prefix-list BOGON_PREFIXES 10.0.0.0/8
set prefix-list BOGON_PREFIXES 100.64.0.0/10
set prefix-list BOGON_PREFIXES 127.0.0.0/8
set prefix-list BOGON_PREFIXES 169.254.0.0/16
set prefix-list BOGON_PREFIXES 172.16.0.0/12
set prefix-list BOGON_PREFIXES 192.0.0.0/24
set prefix-list BOGON_PREFIXES 192.0.2.0/24
set prefix-list BOGON_PREFIXES 192.168.0.0/16
set prefix-list BOGON_PREFIXES 198.18.0.0/15
set prefix-list BOGON_PREFIXES 198.51.100.0/24
set prefix-list BOGON_PREFIXES 203.0.113.0/24
set prefix-list BOGON_PREFIXES 224.0.0.0/4
set prefix-list BOGON_PREFIXES 240.0.0.0/4

Configure a policy-statement to reject Bogon prefixes.

set policy-statement FILTER_ROUTES term REJECT_BOGONS from prefix-list BOGON_PREFIXES
set policy-statement FILTER_ROUTES term REJECT_BOGONS then reject
set policy-statement FILTER_ROUTES term ACCEPT_OTHER then accept

Configure an import statement referencing the policy to reject Bogons on all external BGP peers.

[edit protocols bgp group GROUP_AS4]
set import FILTER_ROUTES

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y24M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|II, CCI|CCI-001368, Rule-ID|SV-217053r604135_rule, STIG-ID|JUNI-RT-000480, STIG-Legacy|SV-101101, STIG-Legacy|V-90891, Vuln-ID|V-217053

Plugin: Juniper

Control ID: 0750848fbc4b7b4723855ae5a9ef8c3c279ee713c4a56d34b506bc7e933aa775