The SDN controller must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by rate-limiting control-plane communications.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-80777 | SRG-NET-000362-SDN-000720 | SV-95487r1_rule | Medium |
| Description |
|---|
| The SDN Controller is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control-plane processes. It is also instrumental with network management and provisioning functions that keep the SDN-enabled network elements and links available for providing network services. Any disruption to the SDN Controller can result in mission-critical network outages. A DoS attack targeting the SDN Controller can result in excessive CPU and memory utilization. The SDN Controller must be configured to rate-limit control-plane traffic destined to itself to mitigate the risk of a DoS attack and ensure network stability. |
| STIG | Date |
|---|---|
| SDN Controller Security Requirements Guide | 2020-03-06 |
Details
| Check Text ( C-80513r1_chk ) |
|---|
| Review the SDN controller configuration to determine if it is configured to rate-limit control-plane messages. If the SDN controller is not configured to rate-limit control-plane messages, this is a finding. |
| Fix Text (F-87631r1_fix) |
|---|
| Configure the SDN controller to rate-limit control-plane messages. |