Skip to content
Log In

CCI-001095

Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

29 rules found Severity: Medium

Logo

The Arista Multilayer Switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.

1 rule found Severity: Medium

Logo

A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.

1 rule found Severity: Medium

Logo

A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.

1 rule found Severity: Medium

Logo

Docker Enterprise container health must be checked at runtime.

1 rule found Severity: Medium

Logo

PIDs cgroup limits must be used in Docker Enterprise.

1 rule found Severity: Medium

Logo

The FortiGate firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The HP FlexFabric Switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.

2 rules found Severity: Medium

Logo

The Infoblox system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The IBM z/VM TCP/IP FOREIGNIPCONLIMIT statement must be properly configured.

1 rule found Severity: Medium

Logo

The IBM z/VM TCP/IP PERSISTCONNECTIONLIMIT statement must be properly configured.

1 rule found Severity: Medium

Logo

The IBM z/VM TCP/IP PENDINGCONNECTIONLIMIT statement must be properly configured.

1 rule found Severity: Medium

Logo

The Infoblox system must be configured to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

1 rule found Severity: Medium

Logo

Exchange Message size restrictions must be controlled on Receive connectors.

5 rules found Severity: Low

Logo

Exchange Receive connectors must control the number of recipients per message.

2 rules found Severity: Low

Logo

Exchange Receive connectors must be clearly named.

3 rules found Severity: Low

Logo

The Exchange Receive Connector Maximum Hop Count must be 60.

3 rules found Severity: Low

Logo

Exchange Send connectors must be clearly named.

3 rules found Severity: Low

Logo

Exchange Send connectors delivery retries must be controlled.

3 rules found Severity: Low

Logo

Exchange Message size restrictions must be controlled on Send connectors.

2 rules found Severity: Low

Logo

The Exchange Send connector connections count must be limited.

2 rules found Severity: Low

Logo

The Exchange global inbound message size must be controlled.

3 rules found Severity: Low

Logo

The Exchange global outbound message size must be controlled.

3 rules found Severity: Low

Logo

The Exchange Outbound Connection Limit per Domain Count must be controlled.

3 rules found Severity: Low

Logo

The Exchange Outbound Connection Timeout must be 10 minutes or less.

3 rules found Severity: Low

Logo

Exchange Outbound Connection Timeout must be 10 minutes or less.

3 rules found Severity: Medium

Logo

Exchange Outbound Connection Limit per Domain Count must be controlled.

2 rules found Severity: Medium

Logo

Exchange Global Outbound Message size must be controlled.

1 rule found Severity: Low

Logo

Exchange Send connector connections count must be limited.

2 rules found Severity: Low

Logo

Exchange message size restrictions must be controlled on Send connectors.

2 rules found Severity: Low

Logo

Exchange Receive connector Maximum Hop Count must be 60.

2 rules found Severity: Medium

Logo

Exchange Receive connectors must control the number of recipients chunked on a single message.

2 rules found Severity: Low

Logo

Exchange Receive connectors must control the number of recipients per message.

2 rules found Severity: Medium

Logo

The Exchange Internet Receive connector connections count must be set to default.

2 rules found Severity: Low

Logo

The Windows 2012 DNS Server must use DNS Notify to prevent denial of service through increase in workload.

1 rule found Severity: Medium

Logo

Nutanix AOS must be configured to use syncookies to limit denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The SEL-2740S -must be configured to limit excess bandwidth and denial of service (DoS) attacks.

1 rule found Severity: Medium

Logo

The bandwidth consumption for the Tanium Server must be limited.

1 rule found Severity: Medium

Logo

The bandwidth consumption for the Tanium Application server must be limited.

1 rule found Severity: Medium

Logo

The Tanium application must manage bandwidth throttles to limit the effects of information flooding types of Denial of Service (DoS) attacks.

2 rules found Severity: Medium

Logo

The Tanium Operating System (TanOS) must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

2 rules found Severity: Medium

Logo

The NSX-T Distributed Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

1 rule found Severity: Medium

Logo

The NSX-T Tier-1 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

1 rule found Severity: Medium

Logo

The NSX-T Tier-1 Gateway must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The NSX-T Tier-0 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

1 rule found Severity: Medium

Logo

The NSX-T Tier-0 Gateway must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Ubuntu operating system must be configured to use TCP syncookies.

2 rules found Severity: Medium

Logo

The Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The MPLS router with RSVP-TE enabled must be configured with message pacing or refresh reduction to adjust maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.

2 rules found Severity: Low

Logo

The PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

3 rules found Severity: Medium

Logo

The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.

1 rule found Severity: Low

Logo

The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.

1 rule found Severity: Low

Logo

A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Cisco ASA must be configured to block outbound traffic containing denial-of-service (DoS) attacks by ensuring an intrusion prevention policy has been applied to outbound communications traffic.

1 rule found Severity: Medium

Logo

The Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.

3 rules found Severity: Low

Logo

The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.

2 rules found Severity: Medium

Logo

The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.

3 rules found Severity: Low

Logo

The Cisco P router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.

3 rules found Severity: Low

Logo

The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

2 rules found Severity: Medium

Logo

The MPLS switch with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core switches.

2 rules found Severity: Low

Logo

The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.

2 rules found Severity: Medium

Logo

The Cisco PE switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.

3 rules found Severity: Low

Logo

The Cisco P switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.

3 rules found Severity: Low

Logo

The Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

3 rules found Severity: Medium

Logo

The DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

1 rule found Severity: Medium

Logo

The F5 BIG-IP DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The F5 BIG-IP appliance must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.

1 rule found Severity: High

Logo

AIX must set Stack Execution Disable (SED) system wide mode to all.

1 rule found Severity: Medium

Logo

The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Juniper MPLS router with RSVP-TE enabled must be configured to enable refresh reduction features.

2 rules found Severity: Low

Logo

The Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.

2 rules found Severity: Medium

Logo

The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

2 rules found Severity: Medium

Logo

The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.

1 rule found Severity: Low

Logo

The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.

2 rules found Severity: Low

Logo

The layer 2 switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Windows DNS Server must use DNS Notify to prevent denial of service (DoS) through increase in workload.

1 rule found Severity: Medium

Logo

Windows DNS response rate limiting (RRL) must be enabled.

1 rule found Severity: Medium

Logo

A Quality of Service (QoS) policy must be implemented to provide preferred treatment for Command and Control (C2) real-time services and control plane traffic.

1 rule found Severity: Low

Logo

Multicast register messages must be rate limited per each source-group (S, G) entry.

1 rule found Severity: Medium

Logo

The number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited.

1 rule found Severity: Medium

Logo

The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed.

1 rule found Severity: Medium

Logo

Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.

1 rule found Severity: Low

Logo

The PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.

1 rule found Severity: Medium

Logo

The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DoDIN Technical Profile.

1 rule found Severity: Low

Logo

The P router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.

1 rule found Severity: Low

Logo

The SDN controller must be configured to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack.

1 rule found Severity: Medium

Logo

SLEM 5 must be configured to use TCP syncookies.

1 rule found Severity: Medium

Logo

The TPS must block outbound traffic containing known and unknown denial-of-service (DoS) attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.

1 rule found Severity: Medium

Logo

The Tanium application must manage bandwidth throttles to limit the effects of information flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The TOSS operating system must be configured to use TCP syncookies.

1 rule found Severity: Medium

Logo

NixOS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The web service design must include redundancy mechanisms when used with high-availability systems.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must be configured to use TCP syncookies.

1 rule found Severity: Medium

Logo

The Cisco switch must manage excess bandwidth to limit the effects of packet-flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must be configured to use TCP syncookies.

1 rule found Severity: Medium

Logo

The container must have resource request limits set.

1 rule found Severity: Medium

Logo

The Dell OS10 Switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

1 rule found Severity: Medium

Logo

AOS must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.

1 rule found Severity: Medium

Logo

IBM z/OS Policy agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

1 rule found Severity: Medium

Logo

The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.

2 rules found Severity: Medium

Logo

The Juniper P router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.

1 rule found Severity: Low

Logo

The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that rules are applied to outbound communications traffic.

1 rule found Severity: Medium

Logo

The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that signature-based objects are applied to outbound communications traffic.

1 rule found Severity: Medium

Logo

The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that anomaly-based attack objects are applied to outbound communications traffic.

1 rule found Severity: Medium

Logo

Exchange Outbound Connection limit per Domain Count must be controlled.

1 rule found Severity: Medium

Logo

Exchange receive connector maximum hop count must be 60.

1 rule found Severity: Medium

Logo

Exchange receive connectors must control the number of recipients per message.

1 rule found Severity: Medium

Logo

Exchange send connector connections count must be limited.

1 rule found Severity: Medium

Logo

Exchange message size restrictions must be controlled on Send connectors.

1 rule found Severity: Medium

Logo

Exchange send connectors delivery retries must be controlled.

1 rule found Severity: Medium

Logo

Exchange receive connectors must be clearly named.

1 rule found Severity: Medium

Logo

Exchange receive connectors must control the number of recipients chunked on a single message.

1 rule found Severity: Medium

Logo

The Exchange internet receive connector connections count must be set to default.

1 rule found Severity: Medium

Logo

Exchange Message size restrictions must be controlled on receive connectors.

1 rule found Severity: Medium

Logo

The Exchange send connector connections count must be limited.

1 rule found Severity: Low

Logo

Exchange receive connectors must control the number of recipients per message.

1 rule found Severity: Low

Logo

Exchange message size restrictions must be controlled on send connectors.

1 rule found Severity: Low

Logo

The Palo Alto Networks security platform must have a denial-of-service (DoS) Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.

1 rule found Severity: Medium

Logo

A firewall must be able to protect against or limit the effects of denial-of-service (DoS) attacks by ensuring OL 8 can implement rate-limiting measures on impacted network interfaces.

1 rule found Severity: Medium

Logo

RHEL 9 must be configured to use TCP syncookies.

1 rule found Severity: Medium

Logo

The SUSE operating system must be configured to use TCP syncookies.

2 rules found Severity: Medium

Logo

The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

2 rules found Severity: Medium

Logo

The VMM must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks.

1 rule found Severity: Medium

Logo

The NSX Tier-0 Gateway Firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: High

Logo

The NSX Tier-1 Gateway firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: High

Logo

The NSX Distributed Firewall must limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Photon operating system must use Transmission Control Protocol (TCP) syncookies.

1 rule found Severity: Medium

Logo

The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).

3 rules found Severity: Medium

Logo

The Photon operating system must be configured to use TCP syncookies.

2 rules found Severity: Medium

Logo