Skip to content
Log In

CCI-004866

Employ organization-defined controls by type of denial-of-service to achieve the denial-of-service objective.

The Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Cisco ASA must be configured to block outbound traffic containing denial-of-service (DoS) attacks by ensuring an intrusion prevention policy has been applied to outbound communications traffic.

1 rule found Severity: Medium

Logo

The Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

2 rules found Severity: High

Logo

The ICS must be configured to limit the number of concurrent sessions for user accounts to one.

1 rule found Severity: Medium

Logo

The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Juniper perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.

1 rule found Severity: High

Logo

The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Juniper router must be configured to restrict traffic destined to itself.

1 rule found Severity: High

Logo

The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

1 rule found Severity: Medium

Logo

The Juniper PE router must be configured to block any traffic that is destined to IP core infrastructure.

1 rule found Severity: High

Logo

The Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode, or a firewall filter, enabled on all CE-facing interfaces.

1 rule found Severity: Medium

Logo

The Juniper perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).

1 rule found Severity: High

Logo

The Juniper perimeter router must be configured to block all packets with any IP options.

1 rule found Severity: Medium

Logo

The Juniper PE router must be configured to ignore or block all packets with any IP options.

1 rule found Severity: Medium

Logo

The Juniper router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

2 rules found Severity: Medium

Logo

The Juniper router must be configured to have IP directed broadcast disabled on all interfaces.

1 rule found Severity: Low

Logo

The Juniper multicast RP router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of PIM and MSDP source-active entries.

1 rule found Severity: Low

Logo

The Juniper BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).

1 rule found Severity: Low

Logo

The layer 2 switch must employ organization-defined controls by type of denial-of-service (DoS) to achieve the DoS objective.

1 rule found Severity: Medium

Logo

The router must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.

1 rule found Severity: Medium

Logo

The SDN controller must be configured to employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.

1 rule found Severity: Medium

Logo

The TPS must protect against or limit the effects of known types of denial-of-service (DoS) attacks by employing signatures.

1 rule found Severity: Medium

Logo

The TPS must block outbound traffic containing known and unknown denial-of-service (DoS) attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.

1 rule found Severity: Medium

Logo

The ALG must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.

1 rule found Severity: Medium

Logo

The Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

2 rules found Severity: High

Logo

The Cisco switch must manage excess bandwidth to limit the effects of packet-flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

1 rule found Severity: Medium

Logo

The Dell OS10 Switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

1 rule found Severity: Medium

Logo

The firewall must be configured to employ organization-defined controls by type of denial-of-service (DoS) to achieve the DoS objective.

1 rule found Severity: Medium

Logo

The IDPS must employ organization-defined controls by type of denial-of-service (DoS) to achieve the DoS objective.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway Firewall providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by implementing statistics-based screens.

1 rule found Severity: High

Logo

The Juniper SRX Services Gateway Firewall must implement load balancing on the perimeter firewall, at a minimum, to limit the effects of known and unknown types of denial-of-service (DoS) attacks on the network.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway Firewall must protect against known types of denial-of-service (DoS) attacks by implementing signature-based screens.

1 rule found Severity: High

Logo

The Juniper SRX Services Gateway Firewall must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

1 rule found Severity: Medium

Logo

The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that rules are applied to outbound communications traffic.

1 rule found Severity: Medium

Logo

The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that signature-based objects are applied to outbound communications traffic.

1 rule found Severity: Medium

Logo

The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.

1 rule found Severity: Medium

Logo

The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based detection.

1 rule found Severity: Medium

Logo

The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.

1 rule found Severity: Medium

Logo

The Palo Alto Networks security platform must protect against the use of internal systems for launching denial-of-service (DoS) attacks against external networks or endpoints.

1 rule found Severity: Medium

Logo

The Palo Alto Networks security platform must block phone home traffic.

1 rule found Severity: Medium

Logo

The Palo Alto Networks security platform must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

1 rule found Severity: High

Logo

The Palo Alto Networks security platform must have a denial-of-service (DoS) Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.

1 rule found Severity: Medium

Logo

The Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).

1 rule found Severity: Medium

Logo

The Palo Alto Networks security platform must use a Vulnerability Protection Profile that blocks any critical, high, or medium threats.

1 rule found Severity: Medium

Logo

The VPN Gateway must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.

1 rule found Severity: Medium

Logo