|Description||Prevent BGP (Border Gateway Protocol) Poisoning: Service Providers and Network Operators should use existing BGP filters to avoid propagating incorrect data. Options include: 1) Avoid route flapping DoS by implementing RIPE-229 to minimize the dampening risk to critical resources, 2) Stop malicious routing table growth due to de-aggregation by implementing Max-Prefix Limit on peering connections, 3) Employ ISP filters to permit customers to only advertise IP address blocks assigned to them, 4) Avoid disruption to networks that use documented special use addresses by ingress and egress filtering for "Martian" routes, 5) Avoid DoS caused by unauthorized route injection (particularly from compromised customers) by egress filtering (to peers) and ingress filtering (from customers) prefixes set to other ISPs, 6) Stop DoS from un-allocated route injection (via BGP table expansion or latent backscatter) by filtering "bogons" (packets with unauthorized routes), not running default route or creating si holes to advertise "bogons", and 7) Employ "Murphy filter" (guarded trust and mutual suspicion) to reinforce filtering your peer should have done.|
|Industry Role(s)||Service Provider; Network Operator|
|Keyword(s)||Cyber Security;Network Design;Network Elements;Network Operations;|
|Reference/Comments||"http://www.cymru.com/Bogons/index.html, NSTAC ISP Working Group - BGP/DNS, RIPE-181, " A Route-Filtering Model for Improving Global Internet Routing Robustness" 222.iops.org/Documents/routing.html
NIST SP 800-54 Border Gateway Protocol Security"."