STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-5 — Denial-of-Service Protection

CCI-004866

Definition

Employ organization-defined controls by type of denial-of-service to achieve the denial-of-service objective.

Parent Control

SC-5Denial-of-Service ProtectionSystem and Communications Protection

Linked STIG Checks (55)

V-263541CAT IIThe ALG must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.Application Layer Gateway Security Requirements Guide V-255969CAT IIThe Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-272045CAT IIThe Cisco ACI layer 2 switch must employ a first-hop-security (FHS) policy to protect against denial-of-service (DoS) attacks.Cisco ACI Layer 2 Switch Security Technical Implementation Guide V-239860CAT IIThe Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.Cisco ASA Firewall Security Technical Implementation Guide V-239882CAT IIThe Cisco ASA must be configured to block outbound traffic containing denial-of-service (DoS) attacks by ensuring an intrusion prevention policy has been applied to outbound communications traffic.Cisco ASA IPS Security Technical Implementation Guide V-216560CAT IThe Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco IOS Router RTR Security Technical Implementation Guide V-220625CAT IIThe Cisco switch must manage excess bandwidth to limit the effects of packet-flooding types of denial-of-service (DoS) attacks.Cisco IOS Switch L2S Security Technical Implementation Guide V-220428CAT IThe Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco IOS Switch RTR Security Technical Implementation Guide V-216650CAT IThe Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco IOS XE Router RTR Security Technical Implementation Guide V-220651CAT IIThe Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220995CAT IThe Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221079CAT IIThe Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco NX OS Switch RTR Security Technical Implementation Guide V-269954CAT IIThe Dell OS10 Switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.Dell OS10 Switch Layer 2 Switch Security Technical Implementation Guide V-263647CAT IIThe firewall must be configured to employ organization-defined controls by type of denial-of-service (DoS) to achieve the DoS objective.Firewall Security Requirements Guide V-263663CAT IIThe IDPS must employ organization-defined controls by type of denial-of-service (DoS) to achieve the DoS objective.Intrusion Detection and Prevention Systems Security Requirements Guide V-258585CAT IIThe ICS must be configured to limit the number of concurrent sessions for user accounts to one.Ivanti Connect Secure VPN Security Technical Implementation Guide V-253951CAT IIThe Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide V-253989CAT IThe Juniper perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.Juniper EX Series Switches Router Security Technical Implementation Guide V-254006CAT IIThe Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.Juniper EX Series Switches Router Security Technical Implementation Guide V-254010CAT IThe Juniper router must be configured to restrict traffic destined to itself.Juniper EX Series Switches Router Security Technical Implementation Guide V-254011CAT IIThe Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.Juniper EX Series Switches Router Security Technical Implementation Guide V-254016CAT IThe Juniper PE router must be configured to block any traffic that is destined to IP core infrastructure.Juniper EX Series Switches Router Security Technical Implementation Guide V-254017CAT IIThe Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode, or a firewall filter, enabled on all CE-facing interfaces.Juniper EX Series Switches Router Security Technical Implementation Guide V-254022CAT IThe Juniper perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).Juniper EX Series Switches Router Security Technical Implementation Guide V-254023CAT IIThe Juniper perimeter router must be configured to block all packets with any IP options.Juniper EX Series Switches Router Security Technical Implementation Guide V-254024CAT IIThe Juniper PE router must be configured to ignore or block all packets with any IP options.Juniper EX Series Switches Router Security Technical Implementation Guide V-254031CAT IIThe Juniper router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Juniper EX Series Switches Router Security Technical Implementation Guide V-254033CAT IIIThe Juniper router must be configured to have IP directed broadcast disabled on all interfaces.Juniper EX Series Switches Router Security Technical Implementation Guide V-254040CAT IIIThe Juniper multicast RP router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of PIM and MSDP source-active entries.Juniper EX Series Switches Router Security Technical Implementation Guide V-254044CAT IIIThe Juniper BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).Juniper EX Series Switches Router Security Technical Implementation Guide V-217018CAT IIThe Juniper router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Juniper Router RTR Security Technical Implementation Guide V-214529CAT IThe Juniper SRX Services Gateway Firewall providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by implementing statistics-based screens.Juniper SRX Services Gateway ALG Security Technical Implementation Guide V-214530CAT IIThe Juniper SRX Services Gateway Firewall must implement load balancing on the perimeter firewall, at a minimum, to limit the effects of known and unknown types of denial-of-service (DoS) attacks on the network.Juniper SRX Services Gateway ALG Security Technical Implementation Guide V-214531CAT IThe Juniper SRX Services Gateway Firewall must protect against known types of denial-of-service (DoS) attacks by implementing signature-based screens.Juniper SRX Services Gateway ALG Security Technical Implementation Guide V-214532CAT IIThe Juniper SRX Services Gateway Firewall must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.Juniper SRX Services Gateway ALG Security Technical Implementation Guide V-214614CAT IIThe Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that rules are applied to outbound communications traffic.Juniper SRX Services Gateway IDPS Security Technical Implementation Guide V-214615CAT IIThe Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that signature-based objects are applied to outbound communications traffic.Juniper SRX Services Gateway IDPS Security Technical Implementation Guide V-214626CAT IIThe Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.Juniper SRX Services Gateway IDPS Security Technical Implementation Guide V-214627CAT IIThe Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based detection.Juniper SRX Services Gateway IDPS Security Technical Implementation Guide V-214628CAT IIThe Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.Juniper SRX Services Gateway IDPS Security Technical Implementation Guide V-214668CAT IIThe Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-214683CAT IIThe Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-228842CAT IIThe Palo Alto Networks security platform must protect against the use of internal systems for launching denial-of-service (DoS) attacks against external networks or endpoints.Palo Alto Networks ALG Security Technical Implementation Guide V-228843CAT IIThe Palo Alto Networks security platform must block phone home traffic.Palo Alto Networks ALG Security Technical Implementation Guide V-228860CAT IThe Palo Alto Networks security platform must protect against denial-of-service (DoS) attacks from external sources.Palo Alto Networks ALG Security Technical Implementation Guide V-207692CAT IIThe Palo Alto Networks security platform must have a denial-of-service (DoS) Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.Palo Alto Networks IDPS Security Technical Implementation Guide V-207703CAT IIThe Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).Palo Alto Networks IDPS Security Technical Implementation Guide V-207704CAT IIThe Palo Alto Networks security platform must use a Vulnerability Protection Profile that blocks any critical, high, or medium threats.Palo Alto Networks IDPS Security Technical Implementation Guide V-273669CAT IIThe RUCKUS ICX router must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.RUCKUS ICX Router Security Technical Implementation Guide V-264309CAT IIThe router must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.Router Security Requirements Guide V-264312CAT IIThe SDN controller must be configured to employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.SDN Controller Security Requirements Guide V-279176CAT IIThe Edge SWG must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.Symantec Edge SWG ALG Security Technical Implementation Guide V-242192CAT IIThe TPS must protect against or limit the effects of known types of denial-of-service (DoS) attacks by employing signatures.Trend Micro TippingPoint IDPS Security Technical Implementation Guide V-242193CAT IIThe TPS must block outbound traffic containing known and unknown denial-of-service (DoS) attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.Trend Micro TippingPoint IDPS Security Technical Implementation Guide V-264328CAT IIThe VPN Gateway must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.Virtual Private Network (VPN) Security Requirements Guide