The firewall must employ Access Control List (ACL) filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.

From Firewall Security Requirements Guide Requirements

Part of SRG-NET-000362-FW-000028

Associated with: CCI-002385

SRG-NET-000362-FW-000028_rule The firewall must employ Access Control List (ACL) filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.

Vulnerability discussion

A firewall experiencing a DoS attack will not be able to handle the traffic load. The high CPU utilization caused by a DoS attack will also have impact control keep-alives and timers used for neighbor peering, resulting in route flapping and eventually black hole traffic.There are three general methods of DoS attacks: flooding attacks, protocol sweeping attacks, and unauthorized port scanning.Flood attacks occur when the host receives too much traffic to buffer and slows down or crashes. Popular flood attacks include ICMP flood and SYN flood. A TCP flood attack of SYN packets initiating connection requests can overwhelm the device until it can no longer process legitimate connection requests, resulting in denial of service. An ICMP flood can overload the device with so many echo requests (ping requests) that it expends all its resources responding and can no longer process valid network traffic, also resulting in denial of service. An attacker might use session table floods and SYN-ACK-ACK proxy floods to fill up the session table of a host.In an IP address sweep attack, an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, the reply reveals the target’s IP address to the attacker. In a TCP sweep attack, an attacker sends TCP SYN packets to the target device as part of the TCP handshake. If the device responds to those packets, the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack. In a UDP sweep attack, an attacker sends UDP packets to the target device. If the device responds to those packets, the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack.In a port scanning attack, an unauthorized application is used to scan the host devices for available services and open ports for subsequent use in an attack. This type of scanning can be used as a DoS attack when the probing packets are sent excessively.

Check content

View the security filters for each interface or security zone. Verify DoS filters are configured to detect and prevent known DoS attacks such as IP sweeps, TCP sweeps, buffer overflows, unauthorized port scanning, SYN floods, UDP floods, and UDP sweeps. If ACL filters are not configured or if the security zone is not configured with ACL filters that guard against common DoS attacks, this is a finding.

Fix text

Configure the firewall to detect and prevent DoS attacks. Implement ACL filters with thresholds that are customized for the specific environment where applicable. DoS filters are based on NIST 800-53 requirements and vendor recommendations. The following sample commands show ACLs that implement this requirement (these are examples only): set filter1 icmp ip-sweep threshold 1000 set filter2 tcp port-scan threshold 1000 set filter3 tcp syn-flood alarm-threshold 1000 set filter3 tcp syn-flood attack-threshold 1100 set filter4 tcp syn-flood source-threshold 100 set filter5 tcp syn-flood destination-threshold 2048 set filter6 tcp syn-flood timeout 20 set filter7 tcp tcp-sweep threshold 1000 set filter8 udp flood threshold 5000 set filter9 udp udp-sweep threshold 1000

Pro Tips

Powered by sagemincer