OSPF LSA Threshold: Security Finding

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

OSPF LSA Threshold: Security Finding

L1 Bithead

Wondering if there's a way to configure a threshold for OSPF LSA updates/messages?
Or if such a threshold is already in place by default on Palo Alto firewalls.  

Something that can maybe drop anything more than say 7 LSA messages in 5 minutes.
Apparently, there's a security threat related to a device getting DOS'd by an overwhelming flow of LSA messages and our security consultant wants us to configure a threshold to drop more than x number of LSA messages in a given period.

I see there's an LSA interval like this:

LSA Interval (sec)—The option specifies the minimum time between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.

 

Yet that doesn't seem to address the issue of an overwhelming number of updates being sent maliciously.

For comparison on the Cisco-side there's a concept of: 

"OSPF Link-State Database Overload Protection" 
which is configured with this command in the OSPF router process:
max-lsa maximum-number [threshold-percentage] [warning-only] [ignore-time minutes] [ignore-count count-number] [reset-time minutes]

1 accepted solution

Accepted Solutions

L7 Applicator

No, these parameters are not available in PanOS.  You could contact your sales engineer to see if there is an existing FR (Feature Request) on file for this and have them add a vote or create one.  If it is new tell them it is covered under RFC 5286 for implementation.

 

But remember that Palo Alto is a security company here that also does routing.  So the pace of feature implementation on the routing side can be on the slow side.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

2 REPLIES 2

L7 Applicator

No, these parameters are not available in PanOS.  You could contact your sales engineer to see if there is an existing FR (Feature Request) on file for this and have them add a vote or create one.  If it is new tell them it is covered under RFC 5286 for implementation.

 

But remember that Palo Alto is a security company here that also does routing.  So the pace of feature implementation on the routing side can be on the slow side.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Got the same reply in the notes of a case opened with PAN support.  They must have been looking over your shoulder.  Sent email to our SE and will follow up with same.

  • 1 accepted solution
  • 3284 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!