STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-5 (2) — Denial-of-Service Protection

CCI-001095

Definition

Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service attacks.

Parent Control

SC-5 (2)Denial-of-Service ProtectionSystem and Communications Protection

Linked STIG Checks (200)

V-274030CAT IIAmazon Linux 2023 must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.Amazon Linux 2023 Security Technical Implementation Guide V-268141CAT IINixOS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.Anduril NixOS Security Technical Implementation Guide V-274612CAT IIThe API must employ throttling.Application Programming Interface (API) Security Requirements Guide V-274682CAT IIThe API must enforce per-client rate limits.Application Programming Interface (API) Security Requirements Guide V-222595CAT IIThe web service design must include redundancy mechanisms when used with high-availability systems.Application Security and Development Security Technical Implementation Guide V-220131CAT IIThe Arista Multilayer Switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-255969CAT IIThe Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks.Arista MLS EOS 4.2x L2S Security Technical Implementation Guide V-256011CAT IIIThe MPLS router with RSVP-TE enabled must be configured with message pacing or refresh reduction to adjust maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256012CAT IIThe PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256013CAT IIIThe PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256014CAT IIIThe PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255969CAT IIThe Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-256011CAT IIIThe MPLS router with RSVP-TE enabled must be configured with message pacing or refresh reduction to adjust maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256012CAT IIThe PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256013CAT IIIThe PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256014CAT IIIThe PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-276001CAT IIAx-OS must limit the number of concurrent sessions to 10 for all accounts and/or account types.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-272424CAT IIA BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.BIND 9.x Security Technical Implementation Guide V-219330CAT IIThe Ubuntu operating system must be configured to use TCP syncookies.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238333CAT IIThe Ubuntu operating system must be configured to use TCP syncookies.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260522CAT IIUbuntu 22.04 LTS must be configured to use TCP syncookies.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270753CAT IIUbuntu 24.04 LTS must be configured to use TCP syncookies.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-239860CAT IIThe Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.Cisco ASA Firewall Security Technical Implementation Guide V-239882CAT IIThe Cisco ASA must be configured to block outbound traffic containing denial-of-service (DoS) attacks by ensuring an intrusion prevention policy has been applied to outbound communications traffic.Cisco ASA IPS Security Technical Implementation Guide V-216609CAT IIIThe MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.Cisco IOS Router RTR Security Technical Implementation Guide V-216619CAT IIIThe Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.Cisco IOS Router RTR Security Technical Implementation Guide V-216620CAT IIIThe Cisco P router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.Cisco IOS Router RTR Security Technical Implementation Guide V-216621CAT IIThe Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.Cisco IOS Router RTR Security Technical Implementation Guide V-220625CAT IIThe Cisco switch must manage excess bandwidth to limit the effects of packet-flooding types of denial-of-service (DoS) attacks.Cisco IOS Switch L2S Security Technical Implementation Guide V-220458CAT IIIThe Cisco PE switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.Cisco IOS Switch RTR Security Technical Implementation Guide V-220459CAT IIIThe Cisco P switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.Cisco IOS Switch RTR Security Technical Implementation Guide V-220460CAT IIThe Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.Cisco IOS Switch RTR Security Technical Implementation Guide V-216699CAT IIIThe MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216708CAT IIThe Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216714CAT IIIThe Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216715CAT IIIThe Cisco P router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216716CAT IIThe Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.Cisco IOS XE Router RTR Security Technical Implementation Guide V-220651CAT IIThe Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-221035CAT IIIThe MPLS switch with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core switches.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221044CAT IIThe Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221050CAT IIIThe Cisco PE switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221051CAT IIIThe Cisco P switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221052CAT IIThe Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-216789CAT IIIThe MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216798CAT IIThe Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216804CAT IIIThe Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216805CAT IIIThe Cisco P router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216806CAT IIThe Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.Cisco IOS XR Router RTR Security Technical Implementation Guide V-221115CAT IIIThe MPLS switch with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core switches.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221123CAT IIThe Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221129CAT IIIThe Cisco PE switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221130CAT IIIThe Cisco P switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221131CAT IIThe Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.Cisco NX OS Switch RTR Security Technical Implementation Guide V-269435CAT IIAlmaLinux OS 9 must be configured to use TCP syncookies.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-270875CAT IIThe container must have resource request limits set.Container Platform Security Requirements Guide V-269954CAT IIThe Dell OS10 Switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.Dell OS10 Switch Layer 2 Switch Security Technical Implementation Guide V-269870CAT IIThe PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.Dell OS10 Switch Router Security Technical Implementation Guide V-235781CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235782CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235827CAT IIDocker Enterprise container health must be checked at runtime.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235828CAT IIPIDs cgroup limits must be used in Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-205190CAT IIThe DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.Domain Name System (DNS) Security Requirements Guide V-265991CAT IIThe F5 BIG-IP DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.F5 BIG-IP TMOS DNS Security Technical Implementation Guide V-266260CAT IThe F5 BIG-IP appliance must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.F5 BIG-IP TMOS Firewall Security Technical Implementation Guide V-278404CAT IINGINX must protect against denial-of-service (DoS) attacks.F5 NGINX Security Technical Implementation Guide V-206693CAT IIThe firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.Firewall Security Requirements Guide V-234146CAT IIThe FortiGate firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.Fortinet FortiGate Firewall Security Technical Implementation Guide V-203658CAT IIThe operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.General Purpose Operating System Security Requirements Guide V-66057CAT IIThe HP FlexFabric Switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.HP FlexFabric Switch L2S Security Technical Implementation Guide V-66123CAT IIThe HP FlexFabric Switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.HP FlexFabric Switch RTR Security Technical Implementation Guide V-266591CAT IIAOS must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.HPE Aruba Networking AOS Wireless Security Technical Implementation Guide V-215398CAT IIAIX must set Stack Execution Disable (SED) system wide mode to all.IBM AIX 7.x Security Technical Implementation Guide V-223572CAT IIIBM z/OS Policy agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.IBM z/OS ACF2 Security Technical Implementation Guide V-223793CAT IIThe IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.IBM z/OS RACF Security Technical Implementation Guide V-224011CAT IIThe IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.IBM z/OS TSS Security Technical Implementation Guide V-237925CAT IIThe IBM z/VM TCP/IP FOREIGNIPCONLIMIT statement must be properly configured.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-237926CAT IIThe IBM z/VM TCP/IP PERSISTCONNECTIONLIMIT statement must be properly configured.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-237927CAT IIThe IBM z/VM TCP/IP PENDINGCONNECTIONLIMIT statement must be properly configured.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-214179CAT IIThe Infoblox system must be configured to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.Infoblox 7.x DNS Security Technical Implementation Guide V-233922CAT IIThe Infoblox system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks.Infoblox 8.x DNS Security Technical Implementation Guide V-34707CAT IIThe IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-206881CAT IIThe IPS must block outbound traffic containing known and unknown denial-of-service (DoS) attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.Intrusion Detection and Prevention Systems Security Requirements Guide V-253951CAT IIThe Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide V-254004CAT IIIThe Juniper MPLS router with RSVP-TE enabled must be configured to enable refresh reduction features.Juniper EX Series Switches Router Security Technical Implementation Guide V-254005CAT IIThe Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.Juniper EX Series Switches Router Security Technical Implementation Guide V-254006CAT IIThe Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.Juniper EX Series Switches Router Security Technical Implementation Guide V-254007CAT IIIThe Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.Juniper EX Series Switches Router Security Technical Implementation Guide V-254008CAT IIIThe Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.Juniper EX Series Switches Router Security Technical Implementation Guide V-217065CAT IIIThe Juniper MPLS router with RSVP-TE enabled must be configured to enable refresh reduction features.Juniper Router RTR Security Technical Implementation Guide V-217073CAT IIThe Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.Juniper Router RTR Security Technical Implementation Guide V-217079CAT IIIThe Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.Juniper Router RTR Security Technical Implementation Guide V-217080CAT IIIThe Juniper P router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.Juniper Router RTR Security Technical Implementation Guide V-217081CAT IIThe Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.Juniper Router RTR Security Technical Implementation Guide V-66395CAT IIThe Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that rules are applied to outbound communications traffic.Juniper SRX SG IDPS Security Technical Implementation Guide V-66395CAT IIThe Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that rules are applied to outbound communications traffic.Juniper SRX SG IDPS Security Technical Implementation Guide V-66399CAT IIThe Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that signature-based objects are applied to outbound communications traffic.Juniper SRX SG IDPS Security Technical Implementation Guide V-66399CAT IIThe Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that signature-based objects are applied to outbound communications traffic.Juniper SRX SG IDPS Security Technical Implementation Guide V-66401CAT IIThe Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that anomaly-based attack objects are applied to outbound communications traffic.Juniper SRX SG IDPS Security Technical Implementation Guide V-66401CAT IIThe Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that anomaly-based attack objects are applied to outbound communications traffic.Juniper SRX SG IDPS Security Technical Implementation Guide V-214614CAT IIThe Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that rules are applied to outbound communications traffic.Juniper SRX Services Gateway IDPS Security Technical Implementation Guide V-214615CAT IIThe Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that signature-based objects are applied to outbound communications traffic.Juniper SRX Services Gateway IDPS Security Technical Implementation Guide V-214616CAT IIThe Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that anomaly-based attack objects are applied to outbound communications traffic.Juniper SRX Services Gateway IDPS Security Technical Implementation Guide V-206649CAT IIThe layer 2 switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.Layer 2 Switch Security Requirements Guide V-221220CAT IIExchange Outbound Connection Timeout must be 10 minutes or less.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221221CAT IIExchange Outbound Connection Limit per Domain Count must be controlled.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221222CAT IIIExchange Send connector connections count must be limited.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221223CAT IIIExchange message size restrictions must be controlled on Send connectors.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221224CAT IIIExchange Send connectors delivery retries must be controlled.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221225CAT IIIExchange Send connectors must be clearly named.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221226CAT IIExchange Receive connector Maximum Hop Count must be 60.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221227CAT IIIExchange Receive connectors must be clearly named.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221228CAT IIIExchange Receive connectors must control the number of recipients chunked on a single message.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221229CAT IIExchange Receive connectors must control the number of recipients per message.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221230CAT IIIThe Exchange Internet Receive connector connections count must be set to default.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221231CAT IIIExchange Message size restrictions must be controlled on Receive connectors.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-228382CAT IIIExchange Message size restrictions must be controlled on Receive connectors.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-228383CAT IIIExchange Receive connectors must control the number of recipients per message.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-228384CAT IIIThe Exchange Receive Connector Maximum Hop Count must be 60.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-228385CAT IIIExchange Message size restrictions must be controlled on Send connectors.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-228386CAT IIIThe Exchange Send connector connections count must be limited.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-228387CAT IIIThe Exchange global inbound message size must be controlled.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-228388CAT IIIThe Exchange global outbound message size must be controlled.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-228389CAT IIIThe Exchange Outbound Connection Limit per Domain Count must be controlled.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-228390CAT IIIThe Exchange Outbound Connection Timeout must be 10 minutes or less.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-259597CAT IIExchange Outbound Connection Timeout must be 10 minutes or less.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259598CAT IIExchange Outbound Connection limit per Domain Count must be controlled.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259599CAT IIExchange receive connector maximum hop count must be 60.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259600CAT IIExchange receive connectors must control the number of recipients per message.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259601CAT IIExchange send connector connections count must be limited.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259602CAT IIExchange message size restrictions must be controlled on Send connectors.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259603CAT IIExchange send connectors delivery retries must be controlled.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259604CAT IIExchange receive connectors must be clearly named.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259605CAT IIExchange receive connectors must control the number of recipients chunked on a single message.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259606CAT IIThe Exchange internet receive connector connections count must be set to default.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259607CAT IIExchange Message size restrictions must be controlled on receive connectors.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259677CAT IIIExchange Message size restrictions must be controlled on Receive connectors.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-259678CAT IIIThe Exchange Receive Connector Maximum Hop Count must be 60.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-259679CAT IIIThe Exchange send connector connections count must be limited.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-259681CAT IIIExchange message size restrictions must be controlled on send connectors.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-259682CAT IIIThe Exchange global inbound message size must be controlled.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-259683CAT IIIThe Exchange global outbound message size must be controlled.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-259684CAT IIIThe Exchange Outbound Connection Limit per Domain Count must be controlled.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-259685CAT IIIThe Exchange Outbound Connection Timeout must be 10 minutes or less.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-215633CAT IIThe Windows 2012 DNS Server must use DNS Notify to prevent denial of service through increase in workload.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-259396CAT IIThe Windows DNS Server must use DNS Notify to prevent denial of service (DoS) through increase in workload.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-259417CAT IIWindows DNS response rate limiting (RRL) must be enabled.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-251387CAT IIIA Quality of Service (QoS) policy must be implemented to provide preferred treatment for Command and Control (C2) real-time services and control plane traffic.Network Infrastructure Policy Security Technical Implementation Guide V-251394CAT IIMulticast register messages must be rate limited per each source-group (S, G) entry.Network Infrastructure Policy Security Technical Implementation Guide V-251396CAT IIThe number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited.Network Infrastructure Policy Security Technical Implementation Guide V-251397CAT IIThe number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed.Network Infrastructure Policy Security Technical Implementation Guide V-251398CAT IIIInternet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.Network Infrastructure Policy Security Technical Implementation Guide V-254228CAT IINutanix AOS must be configured to use syncookies to limit denial-of-service (DoS) attacks.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279625CAT IINutanix OS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.Nutanix Acropolis GPOS Security Technical Implementation Guide V-248865CAT IIA firewall must be able to protect against or limit the effects of denial-of-service (DoS) attacks by ensuring OL 8 can implement rate-limiting measures on impacted network interfaces.Oracle Linux 8 Security Technical Implementation Guide V-271884CAT IIOL 9 must be configured to use TCP syncookies.Oracle Linux 9 Security Technical Implementation Guide V-207692CAT IIThe Palo Alto Networks security platform must have a denial-of-service (DoS) Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.Palo Alto Networks IDPS Security Technical Implementation Guide V-273675CAT IIThe RUCKUS ICX switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide V-273601CAT IIThe RUCKUS ICX PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.RUCKUS ICX Router Security Technical Implementation Guide V-273602CAT IIIThe RUCKUS ICX PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.RUCKUS ICX Router Security Technical Implementation Guide V-273603CAT IIIThe RUCKUS ICX P router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.RUCKUS ICX Router Security Technical Implementation Guide V-281340CAT IIRHEL 10 must be configured to use Transmission Control Protocol (TCP) syncookies.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-257957CAT IIRHEL 9 must be configured to use TCP syncookies.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-275616CAT IIUbuntu OS must be configured to use TCP syncookies.Riverbed NetIM OS Security Technical Implementation Guide V-207127CAT IIIThe MPLS router with RSVP-TE enabled must be configured with message pacing or refresh reduction to adjust maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.Router Security Requirements Guide V-207128CAT IIThe PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.Router Security Requirements Guide V-207129CAT IIThe PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.Router Security Requirements Guide V-207130CAT IIIThe PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DoDIN Technical Profile.Router Security Requirements Guide V-207131CAT IIIThe P router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.Router Security Requirements Guide V-206724CAT IIThe SDN controller must be configured to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack.SDN Controller Security Requirements Guide V-92315CAT IIThe SEL-2740S -must be configured to limit excess bandwidth and denial of service (DoS) attacks.SEL-2740S L2S Security Technical Implementation Guide V-261320CAT IISLEM 5 must be configured to use TCP syncookies.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217286CAT IIThe SUSE operating system must be configured to use TCP syncookies.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-216473CAT IIThe operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.Solaris 11 SPARC Security Technical Implementation Guide V-216237CAT IIThe operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.Solaris 11 X86 Security Technical Implementation Guide V-241062CAT IIThe bandwidth consumption for the Tanium Server must be limited.Tanium 7.0 Security Technical Implementation Guide V-234121CAT IIThe bandwidth consumption for the Tanium Application server must be limited.Tanium 7.3 Security Technical Implementation Guide V-254920CAT IIThe Tanium application must manage bandwidth throttles to limit the effects of information flooding types of Denial of Service (DoS) attacks.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254851CAT IIThe Tanium Operating System (TanOS) must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.Tanium 7.x Operating System on TanOS Security Technical Implementation Guide V-253787CAT IIThe Tanium application must manage bandwidth throttles to limit the effects of information flooding types of denial-of-service (DoS) attacks.Tanium 7.x Security Technical Implementation Guide V-241144CAT IITrend Deep Security must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.Trend Micro Deep Security 9.x Security Technical Implementation Guide V-242193CAT IIThe TPS must block outbound traffic containing known and unknown denial-of-service (DoS) attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.Trend Micro TippingPoint IDPS Security Technical Implementation Guide V-252922CAT IIThe TOSS operating system must be configured to use TCP syncookies.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282512CAT IITOSS 5 must be configured to use TCP syncookies.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-265618CAT IIThe NSX Distributed Firewall must limit the effects of packet flooding types of denial-of-service (DoS) attacks.VMware NSX 4.x Distributed Firewall Security Technical Implementation Guide V-265367CAT IThe NSX Tier-0 Gateway Firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.VMware NSX 4.x Tier-0 Gateway Firewall Security Technical Implementation Guide V-265493CAT IThe NSX Tier-1 Gateway firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.VMware NSX 4.x Tier-1 Gateway Firewall Security Technical Implementation Guide V-69135CAT IIThe NSX Distributed Logical Router must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.VMware NSX Distributed Logical Router Security Technical Implementation Guide V-251728CAT IIThe NSX-T Distributed Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.VMware NSX-T Distributed Firewall Security Technical Implementation Guide V-251764CAT IIThe NSX-T Tier-1 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.VMware NSX-T Tier 1 Gateway Firewall Security Technical Implementation Guide V-251772CAT IIThe NSX-T Tier-1 Gateway must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.VMware NSX-T Tier 1 Gateway RTR Security Technical Implementation Guide V-251739CAT IIThe NSX-T Tier-0 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.VMware NSX-T Tier-0 Gateway Firewall Security Technical Implementation Guide V-251748CAT IIThe NSX-T Tier-0 Gateway must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.VMware NSX-T Tier-0 Gateway RTR Security Technical Implementation Guide V-240469CAT IIThe SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-240470CAT IIThe SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239562CAT IIThe SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-239563CAT IIThe SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256512CAT IIThe Photon operating system must use Transmission Control Protocol (TCP) syncookies.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256336CAT IIThe vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258829CAT IIThe Photon operating system must be configured to use TCP syncookies.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-258922CAT IIThe vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).VMware vSphere 8.0 vCenter Security Technical Implementation Guide