An error occurred:

Check: RCKS-RTR-000610

RUCKUS ICX Router STIG: RCKS-RTR-000610 (in version v1 r1)

Title

The RUCKUS ICX router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection. (Cat II impact)

Discussion

The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages. A DoS attack targeting the RP can result in excessive CPU and memory utilization. To maintain network stability and RP security, the router must be able to handle specific control plane and management plane traffic destined to the RP. In the past, one method of filtering was to use ingress filters on forwarding interfaces to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grows. Control plane policing increases the security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks, allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.

Check Content

Review configuration to determine whether distributed denial-of-service (DDoS) attack prevention is configured (values may vary): ICX#show running-config | include burst ip icmp attack-rate burst-normal 500 burst-max 1000 lockup 300 ip tcp burst-normal 30 burst-max 100 lockup 300 If DDoS protection is not configured, this is a finding.

Fix Text

Configure DDoS protection. ICX(config)#ip icmp attack-rate burst-normal 500 burst-max 1000 lockup 300 ICX(config)#ip tcp burst-normal 30 burst-max 100 lockup 300

Additional Identifiers

Rule ID: SV-273628r1111067_rule

Vulnerability ID: V-273628

Group Title: SRG-NET-000362-RTR-000110

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002385

Protect against or limit the effects of organization-defined types of denial-of-service events.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5

Denial of Service Protection