STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-5 — Denial-of-Service Protection

CCI-002385

Definition

Protect against or limit the effects of organization-defined types of denial-of-service events.

Parent Control

SC-5Denial-of-Service ProtectionSystem and Communications Protection

Linked STIG Checks (200)

V-237049CAT IThe A10 Networks ADC must protect against TCP and UDP Denial of Service (DoS) attacks by employing Source-IP based connection-rate limiting.A10 Networks ADC ALG Security Technical Implementation Guide V-237050CAT IIThe A10 Networks ADC must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.A10 Networks ADC ALG Security Technical Implementation Guide V-237051CAT IIThe A10 Networks ADC must enable DDoS filters.A10 Networks ADC ALG Security Technical Implementation Guide V-237062CAT IThe A10 Networks ADC must protect against ICMP-based Denial of Service (DoS) attacks by employing ICMP Rate Limiting.A10 Networks ADC ALG Security Technical Implementation Guide V-279040CAT IIColdFusion must configure WebSocket Service.Adobe ColdFusion Security Technical Implementation Guide V-279050CAT IIColdFusion must be configured with secure and approved server settings to enforce application hardening, input validation, error handling, and protection against common web vulnerabilities.Adobe ColdFusion Security Technical Implementation Guide V-279060CAT IIColdFusion must transmit only encrypted representations of passwords to the mail server.Adobe ColdFusion Security Technical Implementation Guide V-279069CAT IIColdFusion systems must provide clustering.Adobe ColdFusion Security Technical Implementation Guide V-279073CAT IIColdFusion must set a maximum session timeout value.Adobe ColdFusion Security Technical Implementation Guide V-279079CAT IIColdFusion must set Request Tuning configurations.Adobe ColdFusion Security Technical Implementation Guide V-279080CAT IIColdFusion must limit the maximum number of threads available for CFTHREAD.Adobe ColdFusion Security Technical Implementation Guide V-279081CAT IIColdFusion must limit the maximum number of Web Service requests.Adobe ColdFusion Security Technical Implementation Guide V-279082CAT IIColdFusion must limit the maximum number of ColdFusion Component (CFC) function requests.Adobe ColdFusion Security Technical Implementation Guide V-279083CAT IIColdFusion must configure Data Sources to limit SQL command and configure timeout.Adobe ColdFusion Security Technical Implementation Guide V-279084CAT IIColdFusion must not store user information in the server registry.Adobe ColdFusion Security Technical Implementation Guide V-279085CAT IIColdFusion must limit the in-memory size of the virtual file system.Adobe ColdFusion Security Technical Implementation Guide V-279086CAT IIColdFusion must limit the default maximum thread count for parallel functions.Adobe ColdFusion Security Technical Implementation Guide V-279087CAT IIColdFusion must limit the maximum post data size.Adobe ColdFusion Security Technical Implementation Guide V-279088CAT IIColdFusion must limit the request throttle memory.Adobe ColdFusion Security Technical Implementation Guide V-279089CAT IIColdFusion must set an organization defined maximum number of cached templates.Adobe ColdFusion Security Technical Implementation Guide V-279090CAT IIColdFusion must set an organization defined maximum JVM heap size.Adobe ColdFusion Security Technical Implementation Guide V-279091CAT IIColdFusion must set a nonzero timeout for web services.Adobe ColdFusion Security Technical Implementation Guide V-76421CAT IIKona Site Defender providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis.Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide V-76423CAT IIKona Site Defender providing content filtering must protect against known types of denial-of-service (DoS) attacks by employing signatures.Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide V-274183CAT IIAmazon Linux 2023 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures are configured on impacted network interfaces.Amazon Linux 2023 Security Technical Implementation Guide V-268158CAT IINixOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.Anduril NixOS Security Technical Implementation Guide V-214255CAT IIThe Apache web server must be tuned to handle the operational requirements of the hosted application.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214267CAT IIThe Apache web server must be protected from being stopped by a non-privileged user.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214338CAT IIThe Apache web server must restrict the ability of users to launch denial-of-service (DoS) attacks against other information systems or networks.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214353CAT IIThe Apache web server must be protected from being stopped by a non-privileged user.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-222995CAT IIThe application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222996CAT IITomcat server must be patched for security vulnerabilities.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-205004CAT IIThe ALG providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.Application Layer Gateway Security Requirements Guide V-205005CAT IIThe ALG must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.Application Layer Gateway Security Requirements Guide V-205006CAT IIThe ALG providing content filtering must protect against known types of Denial of Service (DoS) attacks by employing signatures.Application Layer Gateway Security Requirements Guide V-205007CAT IIThe ALG providing content filtering must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors.Application Layer Gateway Security Requirements Guide V-274707CAT IIThe API must use a gateway.Application Programming Interface (API) Security Requirements Guide V-222593CAT IIXML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways.Application Security and Development Security Technical Implementation Guide V-204814CAT IIThe application server, when a MAC I system, must be in a high-availability (HA) cluster.Application Server Security Requirements Guide V-204815CAT IIThe application server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.Application Server Security Requirements Guide V-217525CAT IIThe Arista Multilayer Switch must ensure all Exterior Border Gateway Protocol (eBGP) routers are configured to use Generalized TTL Security Mechanism (GTSM) or are configured to meet RFC3682.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-255970CAT IIIThe Arista MLS switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.Arista MLS EOS 4.2x L2S Security Technical Implementation Guide V-255971CAT IIThe Arista MLS layer 2 switch must have BPDU Guard enabled on all switch ports connecting to access layer switches and hosts.Arista MLS EOS 4.2x L2S Security Technical Implementation Guide V-255972CAT IIThe Arista MLS switch must have STP Loop Guard enabled on all nondesignated STP switch ports.Arista MLS EOS 4.2x L2S Security Technical Implementation Guide V-255973CAT IIThe Arista MLS layer 2 switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.Arista MLS EOS 4.2x L2S Security Technical Implementation Guide V-255974CAT IIThe Arista MLS layer 2 switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.Arista MLS EOS 4.2x L2S Security Technical Implementation Guide V-255975CAT IIThe Arista MLS layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.Arista MLS EOS 4.2x L2S Security Technical Implementation Guide V-256029CAT IIThe Arista router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256030CAT IIThe Arista router must be configured to have gratuitous ARP disabled on all external interfaces.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256031CAT IIIThe Arista router must be configured to have IP directed broadcast disabled on all interfaces.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256032CAT IIThe Arista router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256033CAT IIThe Arista router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256034CAT IIThe Arista router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256035CAT IIThe Arista BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256036CAT IIIThe Arista BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256037CAT IIIThe multicast Rendezvous Point (RP) Arista router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256038CAT IIThe Arista multicast Designated Router (DR) must be configured to increase the shortest-path tree (SPT) threshold or set it to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256039CAT IIIThe Arista BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255969CAT IIThe Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-255970CAT IIIThe Arista MLS switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-255971CAT IIThe Arista MLS layer 2 switch must have BPDU Guard enabled on all switch ports connecting to access layer switches and hosts.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-255972CAT IIThe Arista MLS switch must have STP Loop Guard enabled on all nondesignated STP switch ports.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-255973CAT IIThe Arista MLS layer 2 switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-255974CAT IIThe Arista MLS layer 2 switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-255975CAT IIThe Arista MLS layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-256029CAT IIThe Arista router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256030CAT IIThe Arista router must be configured to have gratuitous ARP disabled on all external interfaces.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256031CAT IIIThe Arista router must be configured to have IP directed broadcast disabled on all interfaces.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256032CAT IIThe Arista router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256033CAT IIThe Arista router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256034CAT IIThe Arista router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256035CAT IIThe Arista BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256036CAT IIIThe Arista BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256037CAT IIIThe multicast Rendezvous Point (RP) Arista router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256038CAT IIThe Arista multicast Designated Router (DR) must be configured to increase the shortest-path tree (SPT) threshold or set it to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256039CAT IIIThe Arista BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).Arista MLS EOS 4.X Router Security Technical Implementation Guide V-276001CAT IIAx-OS must limit the number of concurrent sessions to 10 for all accounts and/or account types.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-237399CAT IIThe CA API Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.CA API Gateway ALG Security Technical Implementation Guide V-237400CAT IIThe CA API Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.CA API Gateway ALG Security Technical Implementation Guide V-255521CAT IIThe CA API Gateway must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the CA API Gateway management network by employing organization-defined security safeguards.CA API Gateway NDM Security Technical Implementation Guide V-219340CAT IIThe Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238367CAT IIThe Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260517CAT IIUbuntu 22.04 LTS must configure the Uncomplicated Firewall (ufw) to rate-limit impacted network interfaces.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270754CAT IIUbuntu 24.04 LTS must configure the uncomplicated firewall to rate-limit impacted network interfaces.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-272033CAT IIThe Cisco ACI layer 2 switch must have Unknown Unicast Flood Blocking (UUFB) set to "Hardware Proxy".Cisco ACI Layer 2 Switch Security Technical Implementation Guide V-272037CAT IIThe Cisco ACI layer 2 switch must enable port security.Cisco ACI Layer 2 Switch Security Technical Implementation Guide V-272045CAT IIThe Cisco ACI layer 2 switch must employ a first-hop-security (FHS) policy to protect against denial-of-service (DoS) attacks.Cisco ACI Layer 2 Switch Security Technical Implementation Guide V-272086CAT IIThe Cisco ACI must be configured to have gratuitous ARP (GARP) disabled on all external interfaces.Cisco ACI Router Security Technical Implementation Guide V-272087CAT IIThe Cisco ACI must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.Cisco ACI Router Security Technical Implementation Guide V-272088CAT IIThe BGP Cisco ACI must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.Cisco ACI Router Security Technical Implementation Guide V-272089CAT IIIThe BGP Cisco ACI must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.Cisco ACI Router Security Technical Implementation Guide V-272091CAT IIThe multicast rendezvous point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.Cisco ACI Router Security Technical Implementation Guide V-272092CAT IIThe Cisco ACI must be configured to limit the mroute states created by Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) reports on a Cisco APIC Bridge Domain (BD) or interface.Cisco ACI Router Security Technical Implementation Guide V-272094CAT IIICisco ACI must be configured so the BGP neighbor is directly connected and will not connect a BGP session to a directly connected neighbor device's loopback address.Cisco ACI Router Security Technical Implementation Guide V-272104CAT IIThe Cisco ACI must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco ACI Router Security Technical Implementation Guide V-239864CAT IThe Cisco ASA must be configured to implement scanning threat detection.Cisco ASA Firewall Security Technical Implementation Guide V-239932CAT IIThe Cisco ASA must be configured to protect against known types of denial-of-service (DoS) attacks by enabling the Threat Detection feature.Cisco ASA NDM Security Technical Implementation Guide V-215701CAT IIThe Cisco router must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.Cisco IOS Router NDM Security Technical Implementation Guide V-216559CAT IIThe Cisco router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.Cisco IOS Router RTR Security Technical Implementation Guide V-216560CAT IThe Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco IOS Router RTR Security Technical Implementation Guide V-216563CAT IIThe Cisco router must be configured to have Gratuitous ARP disabled on all external interfaces.Cisco IOS Router RTR Security Technical Implementation Guide V-216564CAT IIIThe Cisco router must be configured to have IP directed broadcast disabled on all interfaces.Cisco IOS Router RTR Security Technical Implementation Guide V-216565CAT IIThe Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.Cisco IOS Router RTR Security Technical Implementation Guide V-216566CAT IIThe Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.Cisco IOS Router RTR Security Technical Implementation Guide V-216567CAT IIThe Cisco router must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.Cisco IOS Router RTR Security Technical Implementation Guide V-216604CAT IIThe Cisco BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.Cisco IOS Router RTR Security Technical Implementation Guide V-216605CAT IIIThe Cisco BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.Cisco IOS Router RTR Security Technical Implementation Guide V-216625CAT IIIThe Cisco multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.Cisco IOS Router RTR Security Technical Implementation Guide V-216628CAT IIThe Cisco multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.Cisco IOS Router RTR Security Technical Implementation Guide V-216631CAT IIThe Cisco multicast Designated Router (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.Cisco IOS Router RTR Security Technical Implementation Guide V-216632CAT IIThe Cisco multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.Cisco IOS Router RTR Security Technical Implementation Guide V-216991CAT IIIThe Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).Cisco IOS Router RTR Security Technical Implementation Guide V-220629CAT IIIThe Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches.Cisco IOS Switch L2S Security Technical Implementation Guide V-220630CAT IIThe Cisco switch must have Bridge Protocol Data Unit (BPDU) Guard enabled on all user-facing or untrusted access switch ports.Cisco IOS Switch L2S Security Technical Implementation Guide V-220631CAT IIThe Cisco switch must have Spanning Tree Protocol (STP) Loop Guard enabled.Cisco IOS Switch L2S Security Technical Implementation Guide V-220632CAT IIThe Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled.Cisco IOS Switch L2S Security Technical Implementation Guide V-220633CAT IIThe Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.Cisco IOS Switch L2S Security Technical Implementation Guide V-220634CAT IIThe Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.Cisco IOS Switch L2S Security Technical Implementation Guide V-220635CAT IIThe Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.Cisco IOS Switch L2S Security Technical Implementation Guide V-220609CAT IIThe Cisco switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.Cisco IOS Switch NDM Security Technical Implementation Guide V-220427CAT IIThe Cisco switch must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.Cisco IOS Switch RTR Security Technical Implementation Guide V-220428CAT IThe Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco IOS Switch RTR Security Technical Implementation Guide V-220431CAT IIThe Cisco switch must be configured to have gratuitous ARP disabled on all external interfaces.Cisco IOS Switch RTR Security Technical Implementation Guide V-220432CAT IIIThe Cisco switch must be configured to have IP directed broadcast disabled on all interfaces.Cisco IOS Switch RTR Security Technical Implementation Guide V-220433CAT IIThe Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.Cisco IOS Switch RTR Security Technical Implementation Guide V-220434CAT IIThe Cisco switch must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.Cisco IOS Switch RTR Security Technical Implementation Guide V-220435CAT IIThe Cisco switch must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.Cisco IOS Switch RTR Security Technical Implementation Guide V-220466CAT IIThe Cisco multicast Designated switch (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.Cisco IOS Switch RTR Security Technical Implementation Guide V-220467CAT IIThe Cisco multicast Designated switch (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.Cisco IOS Switch RTR Security Technical Implementation Guide V-216649CAT IIThe Cisco router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216650CAT IThe Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216653CAT IIThe Cisco router must be configured to have Gratuitous ARP disabled on all external interfaces.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216654CAT IIIThe Cisco router must be configured to have IP directed broadcast disabled on all interfaces.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216655CAT IIThe Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216656CAT IIThe Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216657CAT IIThe Cisco router must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216694CAT IIThe Cisco BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216695CAT IIIThe Cisco BGP router must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216709CAT IIIThe Cisco PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216720CAT IIIThe Cisco multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216723CAT IIThe Cisco multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216726CAT IIThe Cisco multicast Designated Router (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216727CAT IIThe Cisco multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216999CAT IIIThe Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).Cisco IOS XE Router RTR Security Technical Implementation Guide V-220655CAT IIIThe Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220656CAT IIThe Cisco switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220657CAT IIThe Cisco switch must have STP Loop Guard enabled.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220658CAT IIThe Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220659CAT IIThe Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220660CAT IIThe Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220661CAT IIThe Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220994CAT IIThe Cisco switch must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-220995CAT IThe Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-220998CAT IIThe Cisco switch must be configured to have Gratuitous ARP disabled on all external interfaces.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-220999CAT IIIThe Cisco switch must be configured to have IP directed broadcast disabled on all interfaces.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221000CAT IIThe Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221001CAT IIThe Cisco switch must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221002CAT IIThe Cisco switch must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221021CAT IIIThe Cisco BGP switch must be configured to enable the Generalized TTL Security Mechanism (GTSM).Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221030CAT IIThe Cisco BGP switch must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221031CAT IIIThe Cisco BGP switch must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221045CAT IIIThe Cisco PE switch must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221056CAT IIIThe Cisco multicast Rendezvous Point (RP) switch must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221059CAT IIThe Cisco multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221062CAT IIThe Cisco multicast Designated switch (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221063CAT IIThe Cisco multicast Designated switch (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-216745CAT IIIThe Cisco router must be configured to have IP directed broadcast disabled on all interfaces.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216746CAT IIThe Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216747CAT IIThe Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216748CAT IIThe Cisco router must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216784CAT IIThe Cisco BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216785CAT IIIThe Cisco BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216799CAT IIIThe Cisco PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216810CAT IIIThe Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216813CAT IIThe Cisco multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216816CAT IIThe Cisco multicast Designated Router (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216817CAT IIThe Cisco multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.Cisco IOS XR Router RTR Security Technical Implementation Guide V-217007CAT IIIThe Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).Cisco IOS XR Router RTR Security Technical Implementation Guide V-242660CAT IIThe Cisco ISE must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options.Cisco ISE NDM Security Technical Implementation Guide V-220680CAT IIIThe Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.Cisco NX OS Switch L2S Security Technical Implementation Guide V-220681CAT IIThe Cisco switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports.Cisco NX OS Switch L2S Security Technical Implementation Guide V-220682CAT IIThe Cisco switch must have STP Loop Guard enabled.Cisco NX OS Switch L2S Security Technical Implementation Guide V-220683CAT IIThe Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled.Cisco NX OS Switch L2S Security Technical Implementation Guide V-220684CAT IIThe Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.Cisco NX OS Switch L2S Security Technical Implementation Guide V-220685CAT IIThe Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.Cisco NX OS Switch L2S Security Technical Implementation Guide V-220686CAT IIThe Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.Cisco NX OS Switch L2S Security Technical Implementation Guide V-260464CAT IIThe Cisco switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.Cisco NX OS Switch NDM Security Technical Implementation Guide V-221079CAT IIThe Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221082CAT IIThe Cisco switch must be configured to have Gratuitous ARP disabled on all external interfaces.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221083CAT IIIThe Cisco switch must be configured to have IP directed broadcast disabled on all interfaces.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221084CAT IIThe Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221085CAT IIThe Cisco switch must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221101CAT IIIThe Cisco BGP switch must be configured to check whether a single-hop eBGP peer is directly connected.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221110CAT IIThe Cisco BGP switch must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221111CAT IIIThe Cisco BGP switch must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221124CAT IIIThe Cisco PE switch must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221135CAT IIIThe Cisco multicast Rendezvous Point (RP) switch must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221140CAT IIThe Cisco multicast Designated switch (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.Cisco NX OS Switch RTR Security Technical Implementation Guide V-269434CAT IIAlmaLinux OS 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269435CAT IIAlmaLinux OS 9 must be configured to use TCP syncookies.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide