Title

The firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks. (Cat II impact)

Discussion

A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and will eventually black hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood-type" DoS attacks through increased capacity.

Check Content

Use the "show" command to verify that all inbound interfaces have a stateless firewall filter to set rate limits based on a destination. If the firewall does not have a stateless firewall filter that sets rate limits based on a destination, this is a finding.

Fix Text

Configure a stateless firewall filter to set rate limits based on a destination of the packets. Apply the stateless firewall filter to all inbound interfaces.

Additional Identifiers

Rule ID: SV-206693r604133_rule

Vulnerability ID: V-206693

Group Title: SRG-NET-000193

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.