The SDN controller must be configured to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-80773 | SRG-NET-000193-SDN-000285 | SV-95483r1_rule | Medium |
| Description |
|---|
| A network element experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and will eventually black hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood type" DoS attacks through increased capacity. |
| STIG | Date |
|---|---|
| SDN Controller Security Requirements Guide | 2020-03-06 |
Details
| Check Text ( C-80509r2_chk ) |
|---|
| Review the SDN controller configuration to verify that it is configured to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding DoS attack. The implementation could be driven by a service application via the northbound API that contains the policy. If the SDN controller is not configured to enforce a policy to manage bandwidth and limit the effect of a packet-flooding DoS attack, this is a finding. |
| Fix Text (F-87627r1_fix) |
|---|
| Configure the SDN controller to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack. This can be implemented via northbound API from a service application containing the policy. |