The RUCKUS ICX BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customer or the local autonomous system (AS).

Advertisement of routes by an autonomous system for networks that do not belong to any of its customers pulls traffic away from the authorized network. This causes a denial of service (DoS) on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the GIG IP core could redistribute IGP routes into BGP, thereby leaking internal routes.

Review the router configuration to verify there is a filter defined to only advertise routes for prefixes that belong to any customers or the local AS. This requirement is not applicable for the DODIN Backbone. 1. Verify a prefix-list is configured for routes belonging to the local AS. ICX# show ip prefix-lists ip prefix-list local-AS: 2 entries seq 5 permit x.1.1.0/24 seq 10 permit x.1.2.0/24 2. Verify the prefix-list is applied to outbound routes to neighbors. ICX# show ip bgp config Current BGP configuration: router bgp local-as 1000 neighbor x.x.x.x remote-as 1001 neighbor x.x.x.x prefix-list local-AS out If the router does not filter out prefix advertisements that do not belong on the local AS, this is a finding.

Configure a prefix-list representing prefixes that belong to the local-AS and apply them to BGP neighbors similar to what is shown below: ip prefix-list mylist seq 10 permit x.1.1.0/24 ip prefix-list mylist seq 10 permit x.1.2.0/24 ip prefix-list mylist seq 15 deny 0.0.0.0/0 ge 8 router bgp local-as 1000 neighbor x.x.x.x remote-as 1001 neighbor x.x.x.x prefix-list local-AS out