The BIG-IP Core implementation must be configured to implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks to virtual servers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-60363	F5BI-LT-000217	SV-74793r1_rule		High

Description
If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Load balancing provides service redundancy; which service redundancy reduces the susceptibility of the ALG to many DoS attacks. The ALG must be configured to prevent or mitigate the impact on network availability and traffic flow of DoS attacks that have occurred or are ongoing. This requirement applies to the functionality of the device as it pertains to handling network traffic. Some types of attacks may be specialized to certain network technologies, functions, or services. For each technology, known and potential DoS attacks must be identified and solutions for each type implemented.

Description

If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Load balancing provides service redundancy; which service redundancy reduces the susceptibility of the ALG to many DoS attacks. The ALG must be configured to prevent or mitigate the impact on network availability and traffic flow of DoS attacks that have occurred or are ongoing. This requirement applies to the functionality of the device as it pertains to handling network traffic. Some types of attacks may be specialized to certain network technologies, functions, or services. For each technology, known and potential DoS attacks must be identified and solutions for each type implemented.

STIG	Date
F5 BIG-IP Local Traffic Manager 11.x Security Technical Implementation Guide	2015-06-02

Details

Check Text ( C-61285r1_chk )
Verify the BIG-IP Core implements load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks. Navigate to the BIG-IP System manager >> System >> Configuration >> Local Traffic >> General. Verify "Reaper High-water Mark" is set to 95 and "Reaper Low-water Mark" is set to 85. If the device does not implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks, this is a finding.

Check Text ( C-61285r1_chk )

Verify the BIG-IP Core implements load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.

Navigate to the BIG-IP System manager >> System >> Configuration >> Local Traffic >> General.

Verify "Reaper High-water Mark" is set to 95 and "Reaper Low-water Mark" is set to 85.

If the device does not implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks, this is a finding.

Fix Text (F-65977r1_fix)
Configure the BIG-IP Core to implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks. Navigate to the BIG-IP System manager >> System >> Configuration >> Local Traffic >> General. Make the following configurations under "Properties". Set "Reaper High-water Mark" to 95. Set "Reaper Low-water Mark" to 85.