V-269870

Discussion

DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, QoS, or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages). Satisfies: SRG-NET-000193-RTR-000112, SRG-NET-000193-RTR-000113, SRG-NET-000193-RTR-000114

Check Content

Review the router configuration and interview the system administrator to verify that a mechanism for traffic prioritization and bandwidth reservation exists.

Verify the class-maps are configured to match on DSCP, protocols, or access control lists (ACLs) that identify traffic types based on ports. 

!
class-map type qos 6Q_BestEffort_dscp
 match ip-any dscp 0
!
class-map type qos 6Q_NetworkControl_dscp
 match ip-any dscp 48
!
class-map type qos 6Q_PreferData_dscp
 match ip-any dscp 16
!
class-map type qos 6Q_Scavenger_dscp
 match ip-any dscp 8
!
class-map type qos 6Q_Video_dscp
 match ip-any dscp 38
!
class-map type qos 6Q_Voice_dscp
 match ip-any dscp 49
!
class-map type qos 6Q_Voice_dscp_15
 match ip-any dscp 15
!
class-map type queuing 6Q_BestEffort
 match queue 1
!
class-map type queuing 6Q_NetworkControl
 match queue 5
!
class-map type queuing 6Q_PreferData
 match queue 2
!
class-map type queuing 6Q_Scavenger
 match queue 0
!
class-map type queuing 6Q_Unused_6
 match queue 6
!
class-map type queuing 6Q_Unused_7
 match queue 7
!
class-map type queuing 6Q_Video
 match queue 3
!
class-map type queuing 6Q_Voice
 match queue 4
!

policy-map type qos 6Q_PolicyMapIn_dscp
 !
 class 6Q_Scavenger_dscp
  set qos-group 0
 !
 class 6Q_BestEffort_dscp
  set qos-group 1
 !
 class 6Q_PreferData_dscp
  set qos-group 2
 !
 class 6Q_Video_dscp
  set qos-group 3
 !
 class 6Q_Voice_dscp
  set qos-group 4
 !
 class 6Q_Voice_dscp_15
  set qos-group 4
  set dscp 45
 !
 class 6Q_NetworkControl_dscp
  set qos-group 5
!
policy-map type queuing 6Q_PolicyMapOut_100G
 !
 class 6Q_Scavenger
  bandwidth percent 10
  shape min mbps 10000 max mbps 10000
 !
 class 6Q_BestEffort
  bandwidth percent 18
 !
 class 6Q_NetworkControl
  bandwidth percent 5
  shape min mbps 5000 max mbps 5000
 !
 class 6Q_PreferData
  bandwidth percent 30
  shape min mbps 30000 max mbps 30000
 !
 class 6Q_Unused_6
  bandwidth percent 1
 !
 class 6Q_Unused_7
  bandwidth percent 1
 !
 class 6Q_Video
  bandwidth percent 15
  shape min mbps 15000 max mbps 15000
 !
 class 6Q_Voice
  bandwidth percent 20
  shape min mbps 20000 max mbps 20000
!

Verify the policy-map is configured to set DSCP values for the defined class-maps in accordance with the QoS GIG Technical Profile. 

policy-map type qos 6Q_PolicyMapIn_dscp
 !
 class 6Q_Scavenger_dscp
  set qos-group 0
 !
 class 6Q_BestEffort_dscp
  set qos-group 1
 !
 class 6Q_PreferData_dscp
  set qos-group 2
 !
 class 6Q_Video_dscp
  set qos-group 3
 !
 class 6Q_Voice_dscp
  set qos-group 4
 !
 class 6Q_Voice_dscp_15
  set qos-group 4
  set dscp 45
 !
 class 6Q_NetworkControl_dscp
  set qos-group 5
!
policy-map type queuing 6Q_PolicyMapOut_100G
 !
 class 6Q_Scavenger
  bandwidth percent 10
  shape min mbps 10000 max mbps 10000
 !
 class 6Q_BestEffort
  bandwidth percent 18
 !
 class 6Q_NetworkControl
  bandwidth percent 5
  shape min mbps 5000 max mbps 5000
 !
 class 6Q_PreferData
  bandwidth percent 30
  shape min mbps 30000 max mbps 30000
 !
 class 6Q_Unused_6
  bandwidth percent 1
 !
 class 6Q_Unused_7
  bandwidth percent 1
 !
 class 6Q_Video
  bandwidth percent 15
  shape min mbps 15000 max mbps 15000
 !
 class 6Q_Voice
  bandwidth percent 20
  shape min mbps 20000 max mbps 20000
!

Verify that input and output service policies are bound to the appropriate interfaces. 

!
interface ethernet1/1/2
 service-policy input type qos 6Q_PolicyMapIn_dscp
 service-policy output type queuing 6Q_PolicyMapOut_100G
!

Note: The GTP QOS document (GTP-0009) can be downloaded via the following link:
https://intellipedia.intelink.gov/wiki/Portal:GIG_Technical_Guidance/GTG_GTPs/GTP_Development_List


If the router is not configured to implement a QoS policy in accordance with the QoS GIG Technical Profile, this is a finding.