V-269798

Discussion

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. The security safeguards cannot be defined at the DOD level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).

Check Content

Determine if the OS10 Switch protects against or limits the effects of all known types of DoS attacks by employing organization-defined security safeguards. Dell OS10 Switches provide DoS protection via control plane ACLs and Control Plane Policing (CoPP).

Use the show control-plane info command to verify that the CoPP queue rate limits are appropriate to implement the organization-defined security safeguards:

OS10# show control-plane info
Queue                    Min Rate Limit(in pps)   Max Rate Limit(in pps)   Protocols
0                        600                      600                      ISCSI UNKNOWN UNICAST
1                        1000                     1000                     OPEN_FLOW SFLOW
2                        400                      400                      IGMP PIM
3                        600                      1000                     VLT NDS
4                        500                      1000                     IPV6_ICMP IPV4_ICMP
5                        500                      1000                     ICMPV6_RS ICMPV6_NS ICMPV6_RA ICMPV6_NA
6                        500                      1000                     ARP_REQ SERVICEABILITY
7                        500                      1000                     ARP_RESP
8                        500                      500                      SSH TELNET TACACS NTP FTP
9                        600                      600                      FCOE NVME
10                       600                      1000                     LACP
11                       400                      400                      RSTP PVST MSTP
12                       500                      500                      DOT1X LLDP FEFD
13                       600                      1000                     IPV6_OSPF IPV4_OSPF
14                       600                      1000                     OSPF_HELLO
15                       600                      1000                     BGP
16                       500                      500                      IPV6_DHCP IPV4_DHCP
17                       600                      1000                     VRRP
18                       700                      700                      BFD
19                       1400                     2000                     REMOTE CPS
20                       300                      300                      MCAST DATA
21                       100                      100                      ACL LOGGING
22                       300                      300                      MCAST KNOWN DATA
23                       100                      100                      PTP
24                       100                      100                      PORT_SECURITY
OS10#

Use the show running-configuration class-map and policy-map to review configured CoPP policies:

OS10# show running-configuration class-map
!
class-map type application class-iscsi
!
class-map type control-plane example-copp-class-map-name
OS10#
OS10# show running-configuration policy-map
!
policy-map type application policy-iscsi
!
policy-map type control-plane example-copp-policy-map-name
 !
 class example-copp-class-map-name
  set qos-group 2
  police cir 100 pir 100

Examine the interface configuration for the control plane ACLs applied to the traffic destined to the control plane from the OOBM management port or front panel data ports:

OS10# show running-configuration control-plane
!
control-plane
 ip access-group MGMT_TRAFFIC_FROM_OOBM mgmt in
 ip access-group MGMT_TRAFFIC_FROM_DATA data in

Review the control plane ACLs and verify traffic is limited appropriately:

OS10# show running-configuration access-list
!
ip access-list MGMT_TRAFFIC_FROM_OOBM
 seq 10 permit ...
 seq 20 permit ...
 seq 30 deny ... log
 seq 40 deny ... log

!
ip access-list MGMT_TRAFFIC_FROM_DATA
 seq 10 permit ...
 seq 20 permit ...
 seq 30 deny ... log
 seq 40 deny ... log

If the OS10 Switch does not protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards, this is a finding.