STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Nokia Service Router OS 25.x Router Security Technical Implementation Guide

V-283856

CAT II (Medium)

The Nokia Border Gateway Protocol (BGP) router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix deaggregation attacks.

Rule ID

SV-283856r1203817_rule

STIG

Nokia Service Router OS 25.x Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002385

Discussion

The effects of prefix deaggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix deaggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements. In 1997, misconfigured routers in the Florida Internet Exchange network (AS7007) deaggregated every prefix in their routing table and started advertising the first /24 block of each of these prefixes as their own. Faced with this additional burden, the internal routers became overloaded and crashed repeatedly. This caused prefixes advertised by these routers to disappear from routing tables and reappear when the routers came back online. As the routers came back after crashing, they were flooded with the routing table information by their neighbors. The flood of information again overwhelmed the routers and caused them to crash. This process of route flapping destabilized not only the surrounding network but also the entire internet. Routers trying to reach those addresses would choose the smaller, more specific /24 blocks first. This caused backbone networks throughout North America and Europe to crash. Maximum prefix limits on peer connections combined with aggressive prefix-size filtering of customers' reachability advertisements will effectively mitigate the deaggregation risk. BGP maximum prefix must be used on all eBGP routers to limit the number of prefixes that it should receive from a particular neighbor, whether customer or peering autonomous system. Consider each neighbor and how many routes they should be advertising and set a threshold slightly higher than the number expected.

Check Content

Review the router configuration to verify the number of received prefixes from each eBGP neighbor is controlled.

Use the command below to verify the prefix limit for IPv4 and IPv6:

- show router bgp neighbor 20.20.20.2 detail | match "Prefix Limit" post-lines 6

Prefix Limits Per Address Family

Family        Limit       IdleTimeout   TH    LogOnly   PostImport  ExcessInact
-------------------------------------------------------------------------------
ipv4          500         forever       90    Disabled  Disabled    N/A
ipv6          500         forever       90    Disabled  Disabled    N/A

If the router is not configured to control the number of prefixes received from each peer to protect against route table flooding and prefix deaggregation attacks, this is a finding.

Fix Text

Configure all eBGP routers to use the maximum prefixes feature to protect against route table flooding and prefix deaggregation attacks, as shown in the example below: 

- configure router bgp group "eBGP" prefix-limit 500 ipv4
- configure router bgp group "eBGP" prefix-limit 500 ipv6