UCF STIG Viewer Logo

The IPS must reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000087-IDPS-000089 SRG-NET-000087-IDPS-000089 SRG-NET-000087-IDPS-000089_rule Medium
Description
Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to avoid and manage network congestion. When network congestion occurs, all traffic has an equal chance of being dropped. QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. Many DoS attacks target the network core by attempting to saturate link capacity and exhausting router processors. If hackers can compromise QoS trust boundaries, they can amplify the effect of their abuse. When attack traffic receives premium services, it not only forces priority traffic such as voice to compete for service, it robs critical control-plane and network management traffic the service it demands to ensure routing convergence and network availability. Furthermore, it enables the attacker to easily induce a sustained DoS attack on all network resources along the entire path where QoS has been hijacked. It is imperative that traffic marked for premium service is strictly policed. Traffic that is out of profile must be marked down by placing it into a low priority class.
STIG Date
IDPS Security Requirements Guide (SRG) 2012-03-08

Details

Check Text ( C-43217_chk )
Verify there is a rule or signature which monitors for traffic volume thresholds.
Verify there is a rule for dropping traffic that exceeds these thresholds.
Examine the traffic priority screens to see if this feature is used by the organization.

If the IPS does not reject or delay network traffic based on normal volume thresholds, this is a finding.
Fix Text (F-43217_fix)
Configure IDPS to monitor for traffic volume patters that exceed the norm for the network.
Configure the IDPS to notify, alert, drop or delay suspect traffic based on excessive volume.
Configure the network with organizationally defined traffic priorities.