Rule ID
SV-269954r1052477_rule
Version
V1R1
CCIs
CCI-001095, CCI-004866
DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, Quality of Service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages). Satisfies: SRG-NET-000193-L2S-000020, SRG-NET-000705-L2S-000110
Review the switch configuration to verify that QoS has been enabled to ensure that sufficient capacity is available for mission-critical traffic such as voice and enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies. To verify that QoS has been enabled, review the configuration for each applicable interface to determine if service policies have been configured: ! interface ethernet1/1/1 ... ... service-policy input type qos 6Q_PolicyMapIn_dscp service-policy output type queuing 6Q_PolicyMapOut_100G ! If the switch is not configured to implement a QoS policy, this is a finding.
Implement a QoS policy for traffic prioritization and bandwidth reservation. This policy must enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies. An example QOS configuration follows. Define an input policy to classify traffic on ingress: ! class-map type qos 6Q_BestEffort_dscp match ip-any dscp 0 ! class-map type qos 6Q_NetworkControl_dscp match ip-any dscp 48 ! class-map type qos 6Q_PreferData_dscp match ip-any dscp 16 ! class-map type qos 6Q_Scavenger_dscp match ip-any dscp 8 ! class-map type qos 6Q_Video_dscp match ip-any dscp 38 ! class-map type qos 6Q_Voice_dscp match ip-any dscp 49 ! class-map type queuing 6Q_BestEffort match queue 1 ! class-map type queuing 6Q_NetworkControl match queue 5 ! class-map type queuing 6Q_PreferData match queue 2 ! class-map type queuing 6Q_Scavenger match queue 0 ! class-map type queuing 6Q_Video match queue 3 ! class-map type queuing 6Q_Voice match queue 4 ! policy-map type qos 6Q_PolicyMapIn_dscp ! class 6Q_Scavenger_dscp set qos-group 0 ! class 6Q_BestEffort_dscp set qos-group 1 ! class 6Q_PreferData_dscp set qos-group 2 ! class 6Q_Video_dscp set qos-group 3 ! class 6Q_Voice_dscp set qos-group 4 ! class 6Q_Voice_dscp_15 set qos-group 4 set dscp 45 ! class 6Q_NetworkControl_dscp set qos-group 5 Define an output policy to configure class-specific traffic shaping on egress. ! policy-map type queuing 6Q_PolicyMapOut_100G ! class 6Q_Scavenger bandwidth percent 10 shape min mbps 10000 max mbps 10000 ! class 6Q_BestEffort bandwidth percent 20 ! class 6Q_NetworkControl bandwidth percent 5 shape min mbps 5000 max mbps 5000 ! class 6Q_PreferData bandwidth percent 30 shape min mbps 30000 max mbps 30000 ! class 6Q_Video bandwidth percent 15 shape min mbps 15000 max mbps 15000 ! class 6Q_Voice bandwidth percent 20 shape min mbps 20000 max mbps 20000 ! Apply input and output policies to physical interfaces. ! interface ethernet1/1/1 ... ... service-policy input type qos 6Q_PolicyMapIn_dscp service-policy output type queuing 6Q_PolicyMapOut_100G !