UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The router must protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.


Overview

Finding ID Version Rule ID IA Controls Severity
V-55781 SRG-NET-000362-RTR-000110 SV-70035r1_rule Medium
Description
The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the Route Processor or the control and management planes can result in mission-critical network outages. A DoS attack targeting the Route Processor can result in excessive CPU and memory utilization. To maintain network stability and Route Processor security, the router must be able to handle specific control plane and management plane traffic that is destined to the Route Processor. In the past, one method of filtering was to use ingress filters on forwarding interfaces to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grow. Control plane policing increases the security of routers and multilayer switches by protecting the Route Processor from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks, allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.
STIG Date
Router Security Requirements Guide 2015-09-28

Details

Check Text ( C-56347r1_chk )
Determine whether control plane protection has been implemented on the device by verifying traffic types have been classified based on importance levels and a policy has been configured to filter and rate limit the traffic according to each class.

If the router does not have control plane protection implemented, this is a finding.
Fix Text (F-60651r1_fix)
Implement control plane protection by classifying traffic types based on importance and configure filters to restrict and rate limit the traffic directed to and processed by the route processor according to each class.