STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Arista MLS EOS 4.X Router Security Technical Implementation Guide

V-256039

CAT III (Low)

The Arista BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).

Rule ID

SV-256039r882459_rule

STIG

Arista MLS EOS 4.X Router Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-002385

Discussion

GTSM is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.

Check Content

Review the Arista router configuration.

Arista MLS IP packets to GTSM enabled BGP peers are sent with the configured TTL value of 254.

router bgp NNN
 neighbor 10.1.12.2 ttl maximum-hops 2

If the Arista router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.

Fix Text

Configure all Exterior Border Gateway Protocol peering sessions to use GTSM.

router bgp 65000
 neighbor 10.1.12.2 ttl maximum-hops 2