UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network element must reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization.


Overview

Finding ID Version Rule ID IA Controls Severity
V-27010 SRG-NET-000087 SV-34304r1_rule Medium
Description
Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a Quality of Service (QoS) framework to differentiate traffic and provide a method to avoid and manage network congestion. When network congestion occurs, all traffic has an equal chance of being dropped. QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. Many DoS attacks target the network core by attempting to saturate link capacity and exhausting router processors. If hackers can compromise QoS trust boundaries, they can amplify the effect of their abuse. When attack traffic receives premium services, it not only forces priority traffic such as voice to compete for service, it robs critical control-plane and network management traffic the service it demands to ensure routing convergence and network availability. Furthermore, it enables the attacker to easily induce a sustained DoS attack on all network resources along the entire path where QoS has been hijacked. It is imperative that traffic marked for premium service is strictly policed. Traffic that is out of profile must be marked down by placing it into a low priority class.
STIG Date
Network Security Requirements Guide 2011-12-28

Details

Check Text ( None )
None
Fix Text (None)
None