Check: AADC-AG-000101
A10 Networks ADC ALG STIG:
AADC-AG-000101
(in versions v2 r1 through v1 r1)
Title
The A10 Networks ADC must enable DDoS filters. (Cat II impact)
Discussion
If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume, type, or protocol usage. Detection components that use signatures can detect known attacks by using known attack signatures. Signatures are usually obtained from and updated by the vendor.
Check Content
Review the device configuration. The following command displays the device configuration and filters the output on the string "anomaly-drop": show run | inc anomaly-drop The output should display the following commands: ip anomaly-drop ip-option ip anomaly-drop land-attack ip anomaly-drop ping-of-death ip anomaly-drop frag ip anomaly-drop tcp-no-flag ip anomaly-drop tcp-syn-fin ip anomaly-drop tcp-syn-frag ip anomaly-drop out-of-sequence [threshold] ip anomaly-drop ping-of-death ip anomaly-drop zero-window [threshold] ip anomaly-drop bad-content If the output does not show these commands, this is a finding.
Fix Text
The following commands configure DDoS filters: ip anomaly-drop ip-option ip anomaly-drop land-attack ip anomaly-drop ping-of-death ip anomaly-drop frag ip anomaly-drop tcp-no-flag ip anomaly-drop tcp-syn-fin ip anomaly-drop tcp-syn-frag ip anomaly-drop out-of-sequence [threshold] ip anomaly-drop ping-of-death ip anomaly-drop zero-window [threshold] ip anomaly-drop bad-content Note: Thresholds are specific to the expected traffic for the system or enclave.
Additional Identifiers
Rule ID: SV-237051r639600_rule
Vulnerability ID: V-237051
Group Title: SRG-NET-000362-ALG-000126
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
SC-5 |
Denial Of Service Protection |