Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-79421 | SRG-NET-000193-FW-000030 | SV-94127r1_rule | Medium |
Description |
---|
A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and will eventually black hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood-type" DoS attacks through increased capacity. |
STIG | Date |
---|---|
Firewall Security Requirements Guide | 2018-09-13 |
Check Text ( C-79035r1_chk ) |
---|
Use the "show" command to verify that all inbound interfaces have a stateless firewall filter to set rate limits based on a destination. If the firewall does not have a stateless firewall filter that sets rate limits based on a destination, this is a finding. |
Fix Text (F-86193r1_fix) |
---|
Configure a stateless firewall filter to set rate limits based on a destination of the packets. Apply the stateless firewall filter to all inbound interfaces. |