The ALG must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000362-ALG-000120	SRG-NET-000362-ALG-000120	SRG-NET-000362-ALG-000120_rule		Medium

Description
A network element experiencing a DoS attack will not be able to handle the traffic load. The high CPU utilization caused by a DoS attack will also have impact control keep-alives and timers used for neighbor peering, resulting in route flapping and eventually black hole traffic. The network element must be configured to prevent or mitigate the impact on network availability and traffic flow of DoS attacks that have occurred or are ongoing. A variety of technologies and functionality can be leveraged to limit or, in some cases, eliminate the effects of DoS attacks (e.g., load balancing and access control lists). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. This requirement applies to the network traffic functionality of the network element as it pertains to handling network traffic. Some types of attacks may be specialized to certain network technology, functions, or services. For each technology, known and potential DoS attacks must be identified and solutions for each type implemented.

Description

A network element experiencing a DoS attack will not be able to handle the traffic load. The high CPU utilization caused by a DoS attack will also have impact control keep-alives and timers used for neighbor peering, resulting in route flapping and eventually black hole traffic. The network element must be configured to prevent or mitigate the impact on network availability and traffic flow of DoS attacks that have occurred or are ongoing. A variety of technologies and functionality can be leveraged to limit or, in some cases, eliminate the effects of DoS attacks (e.g., load balancing and access control lists). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. This requirement applies to the network traffic functionality of the network element as it pertains to handling network traffic. Some types of attacks may be specialized to certain network technology, functions, or services. For each technology, known and potential DoS attacks must be identified and solutions for each type implemented.

STIG	Date
Application Layer Gateway Security Requirements Guide	2014-06-27

Details

Check Text ( C-SRG-NET-000362-ALG-000120_chk )
Verify the ALG protects against or limits the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards. If the ALG does not protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards, this is a finding.

Fix Text (F-SRG-NET-000362-ALG-000120_fix)
Configure the ALG to protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.