CCI-002385
Protect against or limit the effects of organization-defined types of denial of service events.
13 rules found Severity: Medium
The A10 Networks ADC must protect against TCP and UDP Denial of Service (DoS) attacks by employing Source-IP based connection-rate limiting.
1 rule found Severity: High
The A10 Networks ADC must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
1 rule found Severity: Medium
The A10 Networks ADC must protect against ICMP-based Denial of Service (DoS) attacks by employing ICMP Rate Limiting.
1 rule found Severity: High
Kona Site Defender providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis.
1 rule found Severity: Medium
Kona Site Defender providing content filtering must protect against known types of denial-of-service (DoS) attacks by employing signatures.
1 rule found Severity: Medium
The Arista Multilayer Switch must ensure all Exterior Border Gateway Protocol (eBGP) routers are configured to use Generalized TTL Security Mechanism (GTSM) or are configured to meet RFC3682.
1 rule found Severity: Medium
The CA API Gateway must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the CA API Gateway management network by employing organization-defined security safeguards.
1 rule found Severity: Medium
The CA API Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
1 rule found Severity: Medium
The CA API Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Docker Enterprise default ulimit must not be overwritten at runtime unless approved in the System Security Plan (SSP).
1 rule found Severity: Medium
The FortiGate device must protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
1 rule found Severity: Medium
The FortiGate firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1 rule found Severity: High
The HP FlexFabric Switch must have Root Guard enabled on all ports where the root bridge should not appear.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The HP FlexFabric Switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources as well as rate-limit DHCP traffic.
1 rule found Severity: Medium
The HP FlexFabric Switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
1 rule found Severity: Medium
1 rule found Severity: Medium
The HP FlexFabric Switch must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the HP FlexFabric Switch management network by employing organization-defined security safeguards.
1 rule found Severity: Medium
The HP FlexFabric Switch must protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.
1 rule found Severity: Medium
The HP FlexFabric Switch must ensure all Exterior Border Gateway Protocol (eBGP) HP FlexFabric Switches are configured to use Generalized TTL Security Mechanism (GTSM).
1 rule found Severity: Medium
The DataPower Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).
1 rule found Severity: High
The DataPower Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
1 rule found Severity: Medium
The DataPower Gateway providing content filtering must protect against known types of Denial of Service (DoS) attacks by employing signatures.
1 rule found Severity: Medium
The DataPower Gateway providing content filtering must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors.
1 rule found Severity: Medium
The MQ Appliance messaging server, when categorized as a high level system, must be in a high-availability (HA) cluster.
1 rule found Severity: Medium
The MQ Appliance messaging server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing operationally-defined security safeguards.
1 rule found Severity: Medium
The WebSphere Application servers with an RMF categorization of high must be in a high-availability (HA) cluster.
1 rule found Severity: Low
1 rule found Severity: Medium
The WebSphere Application Server memory session settings must be defined according to application load requirements.
1 rule found Severity: Low
The WebSphere Application Server thread pool size must be defined according to application load requirements.
1 rule found Severity: Medium
The Sentry must implement load balancing to limit the effects of known and unknown types of Denial-of-Service (DoS) attacks.
2 rules found Severity: Low
6 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
Nutanix AOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
1 rule found Severity: Medium
1 rule found Severity: Medium
Oracle WebLogic must protect the integrity and availability of publicly available information and applications.
1 rule found Severity: Medium
Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
1 rule found Severity: Medium
Oracle WebLogic must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the network device management network by employing organization-defined security safeguards.
1 rule found Severity: Medium
1 rule found Severity: Medium
SEL-2740S flow rules must include the host IP addresses that are bound to designated SEL-2740S ports for ensuring trusted host access.
1 rule found Severity: Medium
The SEL-2740S must be configured with ARP flow rules that are statically created with valid IP-to-MAC address bindings.
1 rule found Severity: Medium
The SEL-2740S must be configured to permit the maintenance and diagnostics communications to specified OTSDN Controller(s).
1 rule found Severity: Medium
Symantec ProxySG providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis.
1 rule found Severity: Medium
Symantec ProxySG must implement load balancing to limit the effects of known and unknown types of denial-of-service (DoS) attacks.
1 rule found Severity: Medium
Tanium must limit the bandwidth used in communicating with endpoints to prevent a denial-of-service (DoS) condition at the server.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Tanium web server must be tuned to handle the operational requirements of the hosted application.
2 rules found Severity: Medium
The Tanium application must limit the bandwidth used in communicating with endpoints to prevent a Denial of Service (DoS) condition at the server.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Tanium application must limit the bandwidth used in communicating with endpoints to prevent a denial of service (DoS) condition at the server.
2 rules found Severity: Medium
The Tanium Operating System (TanOS) must protect against or limit the effects of denial of service (DoS) attacks by employing organization-defined security safeguards.
2 rules found Severity: Medium
The NSX-T Distributed Firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1 rule found Severity: Medium
The NSX-T Manager must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
1 rule found Severity: Medium
The NSX-T Tier-1 Gateway Firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1 rule found Severity: Medium
The NSX-T Tier-0 Gateway Firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1 rule found Severity: Medium
The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
1 rule found Severity: Medium
The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
1 rule found Severity: Medium
The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
1 rule found Severity: Medium
The NSX-T Tier-0 Gateway must be configured to use the BGP maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
1 rule found Severity: Medium
The Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces.
2 rules found Severity: Medium
The BIG-IP appliance must be configured to protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the BIG-IP appliance management network by limiting the number of concurrent sessions.
1 rule found Severity: High
If the BIG-IP appliance is being used to authenticate users for web applications, the HTTPOnly flag must be set.
1 rule found Severity: Low
The F5 BIG-IP appliance must be configured to restrict a consistent inbound IP for the entire management session.
2 rules found Severity: Medium
The BIG-IP Core implementation must be configured to protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis when providing content filtering to virtual servers.
1 rule found Severity: High
The BIG-IP Core implementation must be configured to implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks to virtual servers.
1 rule found Severity: High
The BIG-IP Core implementation must be configured to protect against known types of Denial of Service (DoS) attacks by employing signatures when providing content filtering to virtual servers.
1 rule found Severity: High
The BIG-IP Core implementation must be configured to protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors when providing content filtering to virtual servers.
1 rule found Severity: High
The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster.
1 rule found Severity: Medium
The Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1 rule found Severity: Medium
The Arista MLS switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.
1 rule found Severity: Low
The Arista MLS layer 2 switch must have BPDU Guard enabled on all switch ports connecting to access layer switches and hosts.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Arista MLS layer 2 switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
1 rule found Severity: Medium
The Arista MLS layer 2 switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
1 rule found Severity: Medium
The Arista MLS layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.
1 rule found Severity: Medium
The Arista router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
The Arista router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
1 rule found Severity: Medium
The Arista router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
1 rule found Severity: Medium
The Arista router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
1 rule found Severity: Medium
The Arista BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
1 rule found Severity: Medium
The Arista BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
1 rule found Severity: Low
The multicast Rendezvous Point (RP) Arista router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
1 rule found Severity: Low
The Arista multicast Designated Router (DR) must be configured to increase the shortest-path tree (SPT) threshold or set it to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: High
The Cisco ASA must be configured to protect against known types of denial-of-service (DoS) attacks by enabling the Threat Detection feature.
1 rule found Severity: Medium
The Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches.
2 rules found Severity: Low
2 rules found Severity: Medium
3 rules found Severity: Medium
The Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
3 rules found Severity: Medium
The Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
3 rules found Severity: Medium
The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.
3 rules found Severity: Medium
The Cisco switch must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
2 rules found Severity: Medium
The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
2 rules found Severity: High
2 rules found Severity: Medium
3 rules found Severity: Low
The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.
3 rules found Severity: Medium
The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.
2 rules found Severity: Medium
The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.
3 rules found Severity: Medium
3 rules found Severity: Low
The Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.
3 rules found Severity: Medium
The Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.
3 rules found Severity: Medium
The Cisco router must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.
3 rules found Severity: Medium
The Cisco BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
3 rules found Severity: Medium
The Cisco BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
2 rules found Severity: Low
The Cisco PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.
2 rules found Severity: Low
The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.
1 rule found Severity: Low
The Cisco multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.
4 rules found Severity: Medium
The Cisco multicast Designated Router (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.
3 rules found Severity: Medium
The Cisco multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
3 rules found Severity: Medium
3 rules found Severity: Low
1 rule found Severity: Low
The Cisco BGP switch must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
2 rules found Severity: Medium
The Cisco BGP switch must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer.
2 rules found Severity: Low
The Cisco PE switch must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.
2 rules found Severity: Low
The Cisco multicast Rendezvous Point (RP) switch must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
2 rules found Severity: Low
The Cisco multicast Designated switch (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.
3 rules found Severity: Medium
The Cisco multicast Designated switch (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
2 rules found Severity: Medium
The Cisco ISE must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options.
1 rule found Severity: Medium
The F5 BIG-IP appliance providing content filtering must employ rate-based attack prevention behavior analysis.
1 rule found Severity: Medium
The F5 BIG-IP appliance providing content filtering must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing pattern recognition pre-processors.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organizationally defined security safeguards.
1 rule found Severity: Medium
The F5 BIG-IP appliance must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1 rule found Severity: High
The F5 BIG-IP appliance must be configured to limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number.
1 rule found Severity: Medium
AIX must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring AIX is implementing rate-limiting measures on impacted network interfaces.
1 rule found Severity: Medium
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
1 rule found Severity: Medium
The ICS must be configured to protect against known types of denial-of-service (DoS) attacks by enabling JITC mode.
1 rule found Severity: High
The Juniper EX switch must be configured to enable Root Protection on STP switch ports connecting to access layer switches.
1 rule found Severity: Low
The Juniper EX switch must be configured to enable BPDU Protection on all user-facing or untrusted access switch ports.
1 rule found Severity: Medium
The Juniper EX switch must be configured to enable STP Loop Protection on all non-designated STP switch ports.
1 rule found Severity: Medium
The Juniper EX switch must be configured not to forward unknown unicast traffic to access interfaces.
1 rule found Severity: Medium
The Juniper EX switch must be configured to enable DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
1 rule found Severity: Medium
The Juniper EX switch must be configured to enable IP Source Guard on all user-facing or untrusted access VLANs.
1 rule found Severity: Medium
The Juniper EX switch must be configured to enable Dynamic Address Resolution Protocol (ARP) Inspection (DAI) on all user VLANs.
1 rule found Severity: Medium
The Juniper EX switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
1 rule found Severity: Medium
The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.
1 rule found Severity: Medium
The Juniper router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
1 rule found Severity: Medium
The Juniper router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Low
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
1 rule found Severity: Medium
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
1 rule found Severity: Medium
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
1 rule found Severity: Medium
The Juniper BGP router must be configured to use the prefix limit feature to protect against route table flooding and prefix deaggregation attacks.
1 rule found Severity: Medium
The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
2 rules found Severity: Low
The Juniper PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.
1 rule found Severity: Low
The Juniper multicast RP router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of PIM and MSDP source-active entries.
1 rule found Severity: Low
The Juniper multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.
2 rules found Severity: Medium
The Juniper multicast Designated Router (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.
2 rules found Severity: Medium
The Juniper multicast Designated Router (DR) must be configured to increase the shortest-path tree (SPT) threshold or set it to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
1 rule found Severity: Medium
2 rules found Severity: Low
The layer 2 switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.
1 rule found Severity: Low
The layer 2 switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The layer 2 switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
1 rule found Severity: Medium
The layer 2 switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
1 rule found Severity: Medium
The layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.
1 rule found Severity: Medium
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
1 rule found Severity: High
Access to web administration tools must be restricted to the web manager and the web managers designees.
1 rule found Severity: Medium
The IIS 10.0 web server must be tuned to handle the operational requirements of the hosted application.
1 rule found Severity: Medium
2 rules found Severity: Low
Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.
1 rule found Severity: Low
The network device must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
1 rule found Severity: Medium
ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
1 rule found Severity: High
1 rule found Severity: Medium
The number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited.
1 rule found Severity: Medium
The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed.
1 rule found Severity: Medium
Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.
1 rule found Severity: Low
The Oracle Linux operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.
1 rule found Severity: Medium
The Riverbed NetProfiler must be configured to protect against known types of denial-of-service (DOS) attacks by restricting web and SSH access to the appliance.
1 rule found Severity: Medium
The Automation Controller NGINX web server must be protected from being stopped by a nonprivileged user.
1 rule found Severity: Medium
Automation Controller must be configured to fail over to another system in the event of log subsystem failure.
1 rule found Severity: Medium
The router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
1 rule found Severity: Medium
The router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
The router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
1 rule found Severity: Medium
The router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
1 rule found Severity: Medium
The router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
1 rule found Severity: Medium
The BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
1 rule found Severity: Medium
The BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
1 rule found Severity: Low
The PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.
1 rule found Severity: Low
The multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
1 rule found Severity: Low
The multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.
1 rule found Severity: Medium
The multicast Designated Router (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.
1 rule found Severity: Medium
The multicast Designated Router (DR) must be configured to increase the shortest-path tree (SPT) threshold or set it to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
1 rule found Severity: Medium
1 rule found Severity: Low
The SDN controller must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by rate-limiting control-plane communications.
1 rule found Severity: Medium
The TPS must protect against or limit the effects of known types of denial-of-service (DoS) attacks by employing signatures.
1 rule found Severity: Medium
The TippingPoint SMS must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
1 rule found Severity: Medium
The Tanium application must limit the bandwidth used in communicating with endpoints to prevent a denial-of-service (DoS) condition at the server.
1 rule found Severity: Medium
1 rule found Severity: Medium
A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring TOSS can implement rate-limiting measures on impacted network interfaces.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
NixOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
1 rule found Severity: Medium
The Apache web server must be tuned to handle the operational requirements of the hosted application.
3 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
The application server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.
1 rule found Severity: Medium
The ALG providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
1 rule found Severity: Medium
The ALG must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
1 rule found Severity: Medium
The ALG providing content filtering must protect against known types of Denial of Service (DoS) attacks by employing signatures.
1 rule found Severity: Medium
The ALG providing content filtering must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors.
1 rule found Severity: Medium
1 rule found Severity: Medium
Ubuntu 22.04 LTS must configure the Uncomplicated Firewall (ufw) to rate-limit impacted network interfaces.
1 rule found Severity: Medium
The Cisco router must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
1 rule found Severity: Medium
The Cisco router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
2 rules found Severity: Medium
The Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
2 rules found Severity: High
2 rules found Severity: Medium
The Cisco multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
2 rules found Severity: Low
The Cisco switch must have Bridge Protocol Data Unit (BPDU) Guard enabled on all user-facing or untrusted access switch ports.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Cisco switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
2 rules found Severity: Medium
1 rule found Severity: Medium
The Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.
1 rule found Severity: Low
The Cisco BGP router must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer.
1 rule found Severity: Low
The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
1 rule found Severity: Medium
The Cisco BGP switch must be configured to check whether a single-hop eBGP peer is directly connected.
1 rule found Severity: Low
AlmaLinux OS 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.
1 rule found Severity: Medium
The container platform must protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
1 rule found Severity: Medium
The Dell OS10 Switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.
1 rule found Severity: Low
The Dell OS10 Switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Dell OS10 Switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
1 rule found Severity: Medium
The Dell OS10 Switch must have Source Address Validation (SAV) enabled on all user-facing or untrusted access switch ports.
1 rule found Severity: Medium
The Dell OS10 Switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.
1 rule found Severity: Medium
The firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1 rule found Severity: High
The Dell OS10 Switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
1 rule found Severity: Medium
The Dell OS10 Router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
1 rule found Severity: Medium
The Dell OS10 Router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
The Dell OS10 Router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
1 rule found Severity: Medium
The Dell OS10 BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix deaggregation attacks.
1 rule found Severity: Medium
The Dell OS10 BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
1 rule found Severity: Low
The Dell OS10 multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.
1 rule found Severity: Medium
AOS must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
1 rule found Severity: Medium
The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
1 rule found Severity: Medium
The IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
1 rule found Severity: Medium
The IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based attack detection.
1 rule found Severity: Medium
The IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.
1 rule found Severity: Medium
IBM z/OS Policy agent must contain a policy that protects against or limits the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
1 rule found Severity: Medium
The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
1 rule found Severity: Medium
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.
1 rule found Severity: Medium
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.
1 rule found Severity: Medium
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.
1 rule found Severity: Medium
The Juniper router must be configured to protect against known types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.
1 rule found Severity: Medium
The Juniper BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
1 rule found Severity: Medium
The Juniper PE router must be configured to implement Protocol Independent Multicast (PIM) snooping for each Virtual Private LAN Services (VPLS) bridge domain.
1 rule found Severity: Low
The Juniper multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
1 rule found Severity: Low
The Juniper multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
1 rule found Severity: Medium
The Juniper SRX Services Gateway Firewall providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by implementing statistics-based screens.
1 rule found Severity: High
The Juniper SRX Services Gateway Firewall must implement load balancing on the perimeter firewall, at a minimum, to limit the effects of known and unknown types of denial-of-service (DoS) attacks on the network.
1 rule found Severity: Medium
The Juniper SRX Services Gateway Firewall must protect against known types of denial-of-service (DoS) attacks by implementing signature-based screens.
1 rule found Severity: High
The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
1 rule found Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based detection.
1 rule found Severity: Medium
The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring IBM z/OS is implementing rate-limiting measures on impacted network interfaces.
1 rule found Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must limit the number of sessions per minute to an organization-defined number for SSH to protect remote access management from unauthorized access.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must implement service redundancy to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself.
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Low
Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.
1 rule found Severity: Low
Windows Server 2022 must be configured to ignore NetBIOS name release requests except from WINS servers.
1 rule found Severity: Low
The DBMS must protect against or limit the effects of organization-defined types of Denial of Service (DoS) attacks.
1 rule found Severity: Medium
The configuration integrity of the container platform must be ensured and compliance policies must be configured.
1 rule found Severity: High
The Palo Alto Networks security platform must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1 rule found Severity: High
The Palo Alto Networks security platform must use a Vulnerability Protection Profile that blocks any critical, high, or medium threats.
2 rules found Severity: Medium
OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota.
1 rule found Severity: Medium
OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.
1 rule found Severity: Medium
The Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).
1 rule found Severity: Medium
A firewall must be able to protect against or limit the effects of denial-of-service (DoS) attacks by ensuring OL 8 can implement rate-limiting measures on impacted network interfaces.
1 rule found Severity: Medium
RHEL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.
1 rule found Severity: Medium
A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.
1 rule found Severity: Medium
SuSEfirewall2 must protect against or limit the effects of Denial-of-Service (DoS) attacks on the SUSE operating system by implementing rate-limiting measures on impacted network interfaces.
1 rule found Severity: High
The NSX Manager must be configured to protect against denial-of-service (DoS) attacks by limit the number of concurrent sessions to an organization-defined number.
1 rule found Severity: Medium
The VMM must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the VMM is implementing rate-limiting measures on impacted network interfaces.
1 rule found Severity: Medium
The NSX Tier-0 Gateway Firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1 rule found Severity: High
The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
1 rule found Severity: Medium
The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
1 rule found Severity: Medium
The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
1 rule found Severity: Medium
The NSX Tier-0 Gateway router must be configured to use the Border Gateway Protocol (BGP) maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
1 rule found Severity: Medium
The NSX Tier-1 Gateway firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1 rule found Severity: High
The NSX Distributed Firewall must limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1 rule found Severity: Medium
1 rule found Severity: Medium
The vCenter ESX Agent Manager service must limit the number of maximum concurrent connections permitted.
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium