Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-206693 | SRG-NET-000193-FW-000030 | SV-206693r604133_rule | Medium |
| Description |
|---|
| A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and will eventually black hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood-type" DoS attacks through increased capacity. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2024-05-28 |
Details
| Check Text ( C-6950r297858_chk ) |
|---|
| Use the "show" command to verify that all inbound interfaces have a stateless firewall filter to set rate limits based on a destination. If the firewall does not have a stateless firewall filter that sets rate limits based on a destination, this is a finding. |
| Fix Text (F-6950r297859_fix) |
|---|
| Configure a stateless firewall filter to set rate limits based on a destination of the packets. Apply the stateless firewall filter to all inbound interfaces. |