Capacity
CCI-001095
Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
22
Rule
Severity: Medium
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
1
Rule
Severity: Medium
The Arista Multilayer Switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.
4
Rule
Severity: Low
The MPLS router with RSVP-TE enabled must be configured with message pacing or refresh reduction to adjust maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.
4
Rule
Severity: Medium
The PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.
2
Rule
Severity: Low
The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.
2
Rule
Severity: Low
The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.
2
Rule
Severity: Medium
The Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
2
Rule
Severity: Medium
The web service design must include redundancy mechanisms when used with high-availability systems.
2
Rule
Severity: Medium
A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
1
Rule
Severity: Medium
Docker Enterprise container health must be checked at runtime.
1
Rule
Severity: Medium
PIDs cgroup limits must be used in Docker Enterprise.
2
Rule
Severity: Medium
The DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
2
Rule
Severity: Medium
The firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
The FortiGate firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
2
Rule
Severity: Medium
The HP FlexFabric Switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.
1
Rule
Severity: Medium
The Infoblox system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
The IBM z/VM TCP/IP FOREIGNIPCONLIMIT statement must be properly configured.
1
Rule
Severity: Medium
The IBM z/VM TCP/IP PERSISTCONNECTIONLIMIT statement must be properly configured.
1
Rule
Severity: Medium
The IBM z/VM TCP/IP PENDINGCONNECTIONLIMIT statement must be properly configured.
2
Rule
Severity: Medium
The IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.
1
Rule
Severity: Medium
The Infoblox system must be configured to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
2
Rule
Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that rules are applied to outbound communications traffic.
2
Rule
Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that signature-based objects are applied to outbound communications traffic.
2
Rule
Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that anomaly-based attack objects are applied to outbound communications traffic.
4
Rule
Severity: Low
The Juniper MPLS router with RSVP-TE enabled must be configured to enable refresh reduction features.
4
Rule
Severity: Medium
The Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.
3
Rule
Severity: Low
The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.
3
Rule
Severity: Low
The Juniper P router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.
4
Rule
Severity: Medium
The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.
2
Rule
Severity: Medium
The layer 2 switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.
6
Rule
Severity: Low
Exchange Message size restrictions must be controlled on Receive connectors.
2
Rule
Severity: Low
Exchange Receive connectors must control the number of recipients per message.
3
Rule
Severity: Low
Exchange Receive connectors must be clearly named.
4
Rule
Severity: Low
The Exchange Receive Connector Maximum Hop Count must be 60.
3
Rule
Severity: Low
Exchange Send connectors must be clearly named.
3
Rule
Severity: Low
Exchange Send connectors delivery retries must be controlled.
2
Rule
Severity: Low
Exchange Message size restrictions must be controlled on Send connectors.
2
Rule
Severity: Low
The Exchange Send connector connections count must be limited.
4
Rule
Severity: Low
The Exchange global inbound message size must be controlled.
4
Rule
Severity: Low
The Exchange global outbound message size must be controlled.
4
Rule
Severity: Low
The Exchange Outbound Connection Limit per Domain Count must be controlled.
4
Rule
Severity: Low
The Exchange Outbound Connection Timeout must be 10 minutes or less.
4
Rule
Severity: Medium
Exchange Outbound Connection Timeout must be 10 minutes or less.
2
Rule
Severity: Medium
Exchange Outbound Connection Limit per Domain Count must be controlled.
1
Rule
Severity: Low
Exchange Global Outbound Message size must be controlled.
2
Rule
Severity: Low
Exchange Send connector connections count must be limited.
2
Rule
Severity: Low
Exchange message size restrictions must be controlled on Send connectors.
2
Rule
Severity: Medium
Exchange Receive connector Maximum Hop Count must be 60.
2
Rule
Severity: Low
Exchange Receive connectors must control the number of recipients chunked on a single message.
2
Rule
Severity: Medium
Exchange Receive connectors must control the number of recipients per message.
2
Rule
Severity: Low
The Exchange Internet Receive connector connections count must be set to default.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must use DNS Notify to prevent denial of service through increase in workload.
1
Rule
Severity: Medium
Nutanix AOS must be configured to use syncookies to limit denial-of-service (DoS) attacks.
2
Rule
Severity: Medium
The PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.
2
Rule
Severity: Low
The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DoDIN Technical Profile.
2
Rule
Severity: Low
The P router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.
2
Rule
Severity: Medium
The SDN controller must be configured to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack.
1
Rule
Severity: Medium
The SEL-2740S -must be configured to limit excess bandwidth and denial of service (DoS) attacks.
1
Rule
Severity: Medium
The bandwidth consumption for the Tanium Server must be limited.
2
Rule
Severity: Medium
The Tanium application must manage bandwidth throttles to limit the effects of information flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
The bandwidth consumption for the Tanium Application server must be limited.
2
Rule
Severity: Medium
The Tanium application must manage bandwidth throttles to limit the effects of information flooding types of Denial of Service (DoS) attacks.
1
Rule
Severity: Medium
The TPS must block outbound traffic containing known and unknown DoS attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.
2
Rule
Severity: Medium
The Tanium Operating System (TanOS) must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
1
Rule
Severity: Medium
The NSX-T Distributed Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1
Rule
Severity: Medium
The NSX-T Tier-1 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1
Rule
Severity: Medium
The NSX-T Tier-1 Gateway must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.
3
Rule
Severity: Medium
The Ubuntu operating system must be configured to use TCP syncookies.
2
Rule
Severity: Medium
The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
The Cisco ASA must be configured to block outbound traffic containing DoS attacks by ensuring an intrusion prevention policy has been applied to outbound communications traffic.
6
Rule
Severity: Low
The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.
6
Rule
Severity: Low
The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.
6
Rule
Severity: Low
The Cisco P router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.
4
Rule
Severity: Medium
The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.
2
Rule
Severity: Medium
The Cisco switch must manage excess bandwidth to limit the effects of packet-flooding types of denial-of-service (DoS) attacks.
6
Rule
Severity: Low
The Cisco PE switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.
6
Rule
Severity: Low
The Cisco P switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.
6
Rule
Severity: Medium
The Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
The Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.
4
Rule
Severity: Medium
The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.
2
Rule
Severity: Medium
The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.
4
Rule
Severity: Low
The MPLS switch with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core switches.
4
Rule
Severity: Medium
The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.
2
Rule
Severity: Medium
The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
2
Rule
Severity: Medium
AIX must set Stack Execution Disable (SED) system wide mode to all.
2
Rule
Severity: Medium
IBM z/OS Policy agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
4
Rule
Severity: Medium
The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.
2
Rule
Severity: Low
The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.
2
Rule
Severity: Low
The Exchange send connector connections count must be limited.
2
Rule
Severity: Low
Exchange receive connectors must control the number of recipients per message.
2
Rule
Severity: Low
Exchange message size restrictions must be controlled on send connectors.
2
Rule
Severity: Medium
Exchange Outbound Connection limit per Domain Count must be controlled.
2
Rule
Severity: Medium
Exchange receive connector maximum hop count must be 60.
2
Rule
Severity: Medium
Exchange receive connectors must control the number of recipients per message.
2
Rule
Severity: Medium
Exchange send connector connections count must be limited.
2
Rule
Severity: Medium
Exchange message size restrictions must be controlled on Send connectors.
2
Rule
Severity: Medium
Exchange send connectors delivery retries must be controlled.
2
Rule
Severity: Medium
Exchange receive connectors must be clearly named.
2
Rule
Severity: Medium
Exchange receive connectors must control the number of recipients chunked on a single message.
2
Rule
Severity: Medium
The Exchange internet receive connector connections count must be set to default.
2
Rule
Severity: Medium
Exchange Message size restrictions must be controlled on receive connectors.
2
Rule
Severity: Low
A Quality of Service (QoS) policy must be implemented to provide preferred treatment for Command and Control (C2) real-time services and control plane traffic.
2
Rule
Severity: Medium
Multicast register messages must be rate limited per each source-group (S, G) entry.
2
Rule
Severity: Medium
The number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited.
2
Rule
Severity: Medium
The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed.
2
Rule
Severity: Low
Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.
2
Rule
Severity: Medium
A firewall must be able to protect against or limit the effects of denial-of-service (DoS) attacks by ensuring OL 8 can implement rate-limiting measures on impacted network interfaces.
1
Rule
Severity: Medium
The Palo Alto Networks security platform must have a DoS Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.
2
Rule
Severity: Medium
RHEL 9 must be configured to use TCP syncookies.
4
Rule
Severity: Medium
The SUSE operating system must be configured to use TCP syncookies.
4
Rule
Severity: Medium
The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
2
Rule
Severity: Medium
The VMM must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks.
1
Rule
Severity: Medium
The Photon operating system must use Transmission Control Protocol (TCP) syncookies.
4
Rule
Severity: Medium
The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
3
Rule
Severity: Medium
The Photon operating system must be configured to use TCP syncookies.
2
Rule
Severity: Medium
The Windows DNS Server must use DNS Notify to prevent denial of service (DoS) through increase in workload.
2
Rule
Severity: Medium
Windows DNS response rate limiting (RRL) must be enabled.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must be configured to use TCP syncookies.
1
Rule
Severity: Medium
The Cisco ASA must be configured to block outbound traffic containing denial-of-service (DoS) attacks by ensuring an intrusion prevention policy has been applied to outbound communications traffic.
1
Rule
Severity: Medium
The Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
The F5 BIG-IP DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: High
The F5 BIG-IP appliance must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1
Rule
Severity: Medium
The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
The Palo Alto Networks security platform must have a denial-of-service (DoS) Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.
1
Rule
Severity: Medium
SLEM 5 must be configured to use TCP syncookies.
1
Rule
Severity: Medium
The TPS must block outbound traffic containing known and unknown denial-of-service (DoS) attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.
1
Rule
Severity: Medium
The TOSS operating system must be configured to use TCP syncookies.
1
Rule
Severity: Medium
The NSX Distributed Firewall must limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: High
The NSX Tier-0 Gateway Firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: High
The NSX Tier-1 Gateway firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules