When constructing an eBGP neighborship through a Service PROVIDER Network, there is a security risk of an attack from an UNPROTECTED Internet Service Provider domain to a secured client environment. A disadvantage of eBGP multihop is that a DOS attack can be carried out by spoofing legal packets towards a BGP router in large numbers.

TTL-Security is a method we employ to secure our eBGP session from DOS attacks like this. Only eBGP sessions, not iBGP sessions, can employ the BGP TTL Security check. Only one of TTL Security and eBGP multihop can be enabled to generate directly linked or multihop peering sessions. A simple command can be USED to configure the TTL-Security feature against an eBGP neighbour:

By default, BGP sends packets with a TTL of 1 to external neighbours and accepts packets with a TTL of 0 or higher from external neighbours (as measured after the local router has DECREMENTED the TTL of the incoming packet).

By requiring BGP to originate packets with a TTL of 255, the TTL-Security modifies the default BEHAVIOUR of originating.