Wondering if there's a way to configure a threshold for OSPF LSA updates/messages? Or if such a threshold is already in place by default on Palo Alto firewalls. Something that can maybe drop anything more than say 7 LSA messages in 5 minutes. Apparently, there's a security threat related to a device getting DOS'd by an overwhelming flow of LSA messages and our security consultant wants us to configure a threshold to drop more than x number of LSA messages in a given period. I see there's an LSA interval like this: • LSA Interval (sec) —The option specifies the minimum time between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur. Yet that doesn't seem to address the issue of an overwhelming number of updates being sent maliciously. For comparison on the Cisco-side there's a concept of: "OSPF Link-State Database Overload Protection" which is configured with this command in the OSPF router process: max-lsa maximum-number [ threshold-percentage ] [ warning-only ] [ ignore-time minutes ] [ ignore-count count-number ] [ reset-time minutes ]
... View more
