The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems.

From Application Security and Development Security Technical Implementation Guide

Part of SRG-APP-000246

Associated with: CCI-001094

SV-84861r1_rule The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems.

Vulnerability discussion

Denial of Service (DoS) is a condition where a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.Individuals of concern can include hostile insiders or external adversaries that have access or have successfully breached the information system and are using the system as a platform to launch cyber attacks on the application, the application host or other third-parties.Application developers and application administrators must take the steps needed to ensure an application cannot be used to launch DoS attacks against the application itself, the application host or other systems and networks. Application developers should be cognizant that many attackers using DoS techniques will attempt to identify resource intensive processes and functions within the application. For web applications, this can be application objects that perform database queries or other resource intensive tasks. Improper application memory management can also lead to memory leaks which can exhaust system resources forcing a system or application restart. Limiting attempts to repeatedly execute application processes by validating the requests also reduces the ability to launch some DoS attacks.For application administrators, ensuring network access controls are in place to protect the application host.The methods employed to counter DoS risks are dependent upon the application layer methods that can be used to exploit it.

Check content

Review the application documentation and interview the application administrator. Ask the application administrator if any anti-DoS technology or anti-DoS emergency response services are deployed to protect the application. Check for code review, penetration or vulnerability test results that attempt to DoS the application or use the application as a DoS tool. Examine test results and testing configuration to ensure that the application was tested and the application was not reported as being susceptible to DoS attacks either from external sources or from the application itself. Also verify the testing results show that the application cannot be weaponized to attack other systems. If the test results indicate the application is susceptible to DoS attacks or can be weaponized to attack other applications or systems, this is a finding.

Fix text

Design and deploy the application to utilize controls that will prevent the application from being affected by DoS attacks or being used to attack other systems. This includes but is not limited to utilizing throttling techniques for application traffic such as QoS or implementing logic controls within the application code itself that prevents application use that results in network or system capabilities being exceeded.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer