UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The SDN controller must be configured to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack.


Overview

Finding ID Version Rule ID IA Controls Severity
V-206724 SRG-NET-000193-SDN-000285 SV-206724r385534_rule Medium
Description
A network element experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and will eventually black hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood type" DoS attacks through increased capacity.
STIG Date
SDN Controller Security Requirements Guide 2024-05-28

Details

Check Text ( C-6981r363110_chk )
Review the SDN controller configuration to verify that it is configured to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding DoS attack. The implementation could be driven by a service application via the northbound API that contains the policy.

If the SDN controller is not configured to enforce a policy to manage bandwidth and limit the effect of a packet-flooding DoS attack, this is a finding.
Fix Text (F-6981r363111_fix)
Configure the SDN controller to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack. This can be implemented via northbound API from a service application containing the policy.