STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-5 (1) — Denial-of-Service Protection

CCI-001094

Definition

Restrict the ability of individuals to launch organization-defined denial of service attacks against other systems.

Parent Control

SC-5 (1)Denial-of-Service ProtectionSystem and Communications Protection

Linked STIG Checks (113)

V-214255CAT IIThe Apache web server must be tuned to handle the operational requirements of the hosted application.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214291CAT IIThe Apache web server must be tuned to handle the operational requirements of the hosted application.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214338CAT IIThe Apache web server must restrict the ability of users to launch denial-of-service (DoS) attacks against other information systems or networks.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-204953CAT IIThe ALG providing content filtering must block outbound traffic containing known and unknown DoS attacks to protect against the use of internal information systems to launch any Denial of Service (DoS) attacks against other networks or endpoints.Application Layer Gateway Security Requirements Guide V-222594CAT IIThe application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems.Application Security and Development Security Technical Implementation Guide V-217524CAT IIThe Arista Multilayer Switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-256026CAT IThe Arista perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256026CAT IThe Arista perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).Arista MLS EOS 4.X Router Security Technical Implementation Guide V-276001CAT IIAx-OS must limit the number of concurrent sessions to 10 for all accounts and/or account types.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-272394CAT IIA BIND 9.x server implementation must prohibit recursion on authoritative name servers.BIND 9.x Security Technical Implementation Guide V-272423CAT IIA BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients.BIND 9.x Security Technical Implementation Guide V-237369CAT IIThe CA API Gateway providing content filtering must block outbound traffic containing known and unknown Denial of Service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.CA API Gateway ALG Security Technical Implementation Guide V-216989CAT IThe Cisco perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).Cisco IOS Router RTR Security Technical Implementation Guide V-220471CAT IThe Cisco perimeter switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).Cisco IOS Switch RTR Security Technical Implementation Guide V-216710CAT IIThe Cisco PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216997CAT IThe Cisco perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).Cisco IOS XE Router RTR Security Technical Implementation Guide V-221011CAT IThe Cisco perimeter switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221046CAT IIThe Cisco PE switch must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-216800CAT IIThe Cisco PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.Cisco IOS XR Router RTR Security Technical Implementation Guide V-217005CAT IThe Cisco perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).Cisco IOS XR Router RTR Security Technical Implementation Guide V-221091CAT IThe Cisco perimeter switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).Cisco NX OS Switch RTR Security Technical Implementation Guide V-221125CAT IIThe Cisco PE switch must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.Cisco NX OS Switch RTR Security Technical Implementation Guide V-233129CAT IIThe container platform must restrict individuals' ability to launch organizationally defined denial-of-service (DoS) attacks against other information systems.Container Platform Security Requirements Guide V-235781CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235782CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-205189CAT IIThe DNS server implementation must restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems.Domain Name System (DNS) Security Requirements Guide V-270947CAT IDragos Platforms must limit privileges and not allow the ability to run shell.Dragos Platform 2.x Security Technical Implementation Guide V-266156CAT IIThe F5 BIG-IP appliance providing content filtering must employ rate-based attack prevention behavior analysis.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-265991CAT IIThe F5 BIG-IP DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.F5 BIG-IP TMOS DNS Security Technical Implementation Guide V-266260CAT IThe F5 BIG-IP appliance must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.F5 BIG-IP TMOS Firewall Security Technical Implementation Guide V-278394CAT IINGINX must restrict the ability of individuals to launch denial-of-service (DoS) attacks against other information systems.F5 NGINX Security Technical Implementation Guide V-206692CAT IIThe firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.Firewall Security Requirements Guide V-234145CAT IIThe FortiGate firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.Fortinet FortiGate Firewall Security Technical Implementation Guide V-66121CAT IIThe HP FlexFabric Switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.HP FlexFabric Switch RTR Security Technical Implementation Guide V-65231CAT IIThe DataPower Gateway providing content filtering must not have a front side handler configured facing an internal network.IBM DataPower ALG Security Technical Implementation Guide V-214178CAT IIThe Infoblox system must be configured to restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems.Infoblox 7.x DNS Security Technical Implementation Guide V-233921CAT IIThe Infoblox system must restrict the ability of individuals to use the DNS service member to launch denial-of-Service (DoS) attacks against other information systems.Infoblox 8.x DNS Security Technical Implementation Guide V-254003CAT IIThe Juniper PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.Juniper EX Series Switches Router Security Technical Implementation Guide V-254022CAT IThe Juniper perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).Juniper EX Series Switches Router Security Technical Implementation Guide V-217036CAT IThe Juniper perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).Juniper Router RTR Security Technical Implementation Guide V-217075CAT IIThe Juniper PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.Juniper Router RTR Security Technical Implementation Guide V-214532CAT IIThe Juniper SRX Services Gateway Firewall must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.Juniper SRX Services Gateway ALG Security Technical Implementation Guide V-272888CAT IIMicrosoft Defender for Endpoint (MDE) must enable Endpoint Detection and Response (EDR) in block mode.Microsoft Defender for Endpoint Security Technical Implementation Guide V-228379CAT IIIExchange Mail quota settings must not restrict receiving mail.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-228380CAT IIIExchange Mail Quota settings must not restrict receiving mail.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-228381CAT IIIExchange Mailbox Stores must mount at startup.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-259596CAT IIMore than one Edge server must be deployed.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259674CAT IIIExchange mailbox stores must mount at startup.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-259675CAT IIIExchange mail quota settings must not restrict receiving mail.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-259676CAT IIIExchange mail quota settings must not restrict sending mail.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-218753CAT IIThe IIS 10.0 website must be configured to limit the maxURL.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-218754CAT IIThe IIS 10.0 website must be configured to limit the size of web requests.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-218755CAT IIThe IIS 10.0 websites Maximum Query String limit must be configured.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-218756CAT IINon-ASCII characters in URLs must be prohibited by any IIS 10.0 website.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-218757CAT IIDouble encoded URL requests must be prohibited by any IIS 10.0 website.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-218758CAT IIUnlisted file extensions in URL requests must be filtered by any IIS 10.0 website.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-215632CAT IIThe Windows 2012 DNS Server must restrict individuals from using it for launching Denial of Service (DoS) attacks against other information systems.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-241993CAT IIWindows Defender Firewall with Advanced Security must allow outbound connections, unless a rule explicitly blocks the connection when connected to a domain.Microsoft Windows Defender Firewall with Advanced Security Security Technical Implementation Guide V-241998CAT IIWindows Defender Firewall with Advanced Security must allow outbound connections, unless a rule explicitly blocks the connection when connected to a private network.Microsoft Windows Defender Firewall with Advanced Security Security Technical Implementation Guide V-242003CAT IIWindows Defender Firewall with Advanced Security must allow outbound connections, unless a rule explicitly blocks the connection when connected to a public network.Microsoft Windows Defender Firewall with Advanced Security Security Technical Implementation Guide V-259395CAT IIThe Windows DNS Server must restrict individuals from using it for launching denial-of-service (DoS) attacks against other information systems.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-260906CAT ILeast privilege access and need to know must be required to access MKE runtime and instantiate container images.Mirantis Kubernetes Engine Security Technical Implementation Guide V-221498CAT IIOHS must have the Timeout directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221499CAT IIOHS must have the KeepAlive directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221500CAT IIOHS must have the KeepAliveTimeout properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221501CAT IIOHS must have the MaxKeepAliveRequests directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221502CAT IIOHS must have the ListenBacklog properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221503CAT IIOHS must have the LimitRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221504CAT IIOHS must have the LimitRequestFields directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221505CAT IIOHS must have the LimitRequestFieldSize directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221506CAT IIOHS must have the LimitRequestLine directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221507CAT IIOHS must have the LimitXMLRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221508CAT IIOHS must have the LimitInternalRecursion directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-228842CAT IIThe Palo Alto Networks security platform must protect against the use of internal systems for launching denial-of-service (DoS) attacks against external networks or endpoints.Palo Alto Networks ALG Security Technical Implementation Guide V-228843CAT IIThe Palo Alto Networks security platform must block phone home traffic.Palo Alto Networks ALG Security Technical Implementation Guide V-228844CAT IIThe Palo Alto Networks security platform must deny outbound IP packets that contain an illegitimate address in the source address field.Palo Alto Networks ALG Security Technical Implementation Guide V-253540CAT IIPrisma Cloud Compute must prevent unauthorized and unintended information transfer.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-257554CAT IIOpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257555CAT IIOpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257566CAT IIOpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257554CAT IIOpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-257555CAT IIOpenShift must restrict individuals' ability to launch organization-defined denial-of-service (DOS) attacks against other information systems by rate-limiting.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-257566CAT IIOpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-207126CAT IIThe PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.Router Security Requirements Guide V-279176CAT IIThe Edge SWG must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.Symantec Edge SWG ALG Security Technical Implementation Guide V-94321CAT IISymantec ProxySG must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.Symantec ProxySG ALG Security Technical Implementation Guide V-240986CAT IITanium must restrict the ability of individuals to place too much impact upon the network, which might result in a denial-of-service (DoS) event on the network by using RandomSensorDelayInSeconds.Tanium 7.0 Security Technical Implementation Guide V-234045CAT IIThe Tanium application must restrict the ability of individuals to place too much impact upon the network, which might result in a Denial of Service (DoS) event on the network by using RandomSensorDelayInSeconds.Tanium 7.3 Security Technical Implementation Guide V-254919CAT IIThe Tanium application must restrict the ability of individuals to use information systems to launch organization-defined denial-of-service (DoS) attacks against other information systems.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253786CAT IIThe Tanium application must restrict the ability of individuals to use information systems to launch organization-defined denial-of-service (DoS) attacks against other information systems.Tanium 7.x Security Technical Implementation Guide V-241143CAT IITrend Deep Security must restrict the ability of individuals to use information systems to launch organization-defined Denial of Service (DoS) attacks against other information systems.Trend Micro Deep Security 9.x Security Technical Implementation Guide V-240069CAT IIHAProxy must limit the amount of time that half-open connections are kept alive.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-265618CAT IIThe NSX Distributed Firewall must limit the effects of packet flooding types of denial-of-service (DoS) attacks.VMware NSX 4.x Distributed Firewall Security Technical Implementation Guide V-265367CAT IThe NSX Tier-0 Gateway Firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.VMware NSX 4.x Tier-0 Gateway Firewall Security Technical Implementation Guide V-265428CAT IThe NSX Tier-0 Gateway router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF).VMware NSX 4.x Tier-0 Gateway Router Security Technical Implementation Guide V-265493CAT IThe NSX Tier-1 Gateway firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.VMware NSX 4.x Tier-1 Gateway Firewall Security Technical Implementation Guide V-251728CAT IIThe NSX-T Distributed Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.VMware NSX-T Distributed Firewall Security Technical Implementation Guide V-251764CAT IIThe NSX-T Tier-1 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.VMware NSX-T Tier 1 Gateway Firewall Security Technical Implementation Guide V-251739CAT IIThe NSX-T Tier-0 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.VMware NSX-T Tier-0 Gateway Firewall Security Technical Implementation Guide V-251750CAT IUnicast Reverse Path Forwarding (uRPF) must be enabled on the NSX-T Tier-0 Gateway.VMware NSX-T Tier-0 Gateway RTR Security Technical Implementation Guide V-240254CAT IILighttpd must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-241676CAT IItc Server UI must be configured with a cross-site scripting (XSS) filter.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241677CAT IItc Server CaSa must be configured with a cross-site scripting (XSS) filter.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241678CAT IItc Server API must be configured with a cross-site scripting (XSS) filter.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-256662CAT IIVAMI must protect against or limit the effects of HTTP types of denial-of-service (DoS) attacks.VMware vSphere 7.0 VAMI Security Technical Implementation Guide V-256691CAT IIESX Agent Manager must limit the number of allowed connections.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256724CAT IILookup Service must limit the number of allowed connections.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256629CAT IIPerformance Charts must limit the number of allowed connections.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256763CAT IIThe Security Token Service must limit the number of allowed connections.VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256797CAT IIvSphere UI must limit the number of allowed connections.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-259149CAT IIThe vCenter VAMI service must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide V-206409CAT IIThe web server must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.Web Server Security Requirements Guide V-269579CAT IIXylok Security Suite must disable nonessential capabilities.Xylok Security Suite 20.x Security Technical Implementation Guide