The firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

From Firewall Security Requirements Guide

Associated with: CCI-001095

SV-94127r1_rule The firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

Vulnerability discussion

A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and will eventually black hole production traffic.The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood-type" DoS attacks through increased capacity.

Check content

Use the "show" command to verify that all inbound interfaces have a stateless firewall filter to set rate limits based on a destination. If the firewall does not have a stateless firewall filter that sets rate limits based on a destination, this is a finding.

Fix text

Configure a stateless firewall filter to set rate limits based on a destination of the packets. Apply the stateless firewall filter to all inbound interfaces.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.