Check: ARST-L2-000030
Arista MLS EOS 4.2x L2S STIG:
ARST-L2-000030
(in version v1 r1)
Title
The Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks. (Cat II impact)
Discussion
Denial of service is a condition when a resource is not available for legitimate users. Packet flooding distributed DOS (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, Quality of Service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages). Satisfies: SRG-NET-000193-L2S-000020, SRG-NET-000362-L2S-000024, SRG-NET-000512-L2S-000001
Check Content
Verify the Arista MLS switch is configured for storm-control on applicable Ethernet interfaces. switch#show storm-control Port Type Level Rate(Mbps) Status Drops Reason Et10/2 all 75 7500 active 0 Et4 multicast 55 5500 active 0 Et4 broadcast 50 5000 active switch# If the Arista MLS switch is not configured to implement a storm-control policy, this is a finding.
Fix Text
The Arista MLS switch must be configured to implement a storm-control policy for traffic prioritization and bandwidth reservation. Storm-control on switch Ethernet interfaces can be configured to limit the packets based on broadcast, multicast, and unknown-unicast traffic: switch#configure switch(config)#internet et[X] interface Ethernet[X] switchport storm-control broadcast level pps 5000 storm-control multicast level pps 5000 storm-control unknown-unicast level pps 5000
Additional Identifiers
Rule ID: SV-255969r882249_rule
Vulnerability ID: V-255969
Group Title: SRG-NET-000193-L2S-000020
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001095 |
The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. |
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |