The Dell OS10 Switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

An XCCDF Rule

Description

DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, Quality of Service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages). Satisfies: SRG-NET-000193-L2S-000020, SRG-NET-000705-L2S-000110

ID: SV-269954r1052477_rule
Version: OS10-L2S-000040
Severity: Medium
References: CCI-001095 CCI-004866
Updated: about 2 months ago

Remediation Templates

Implement a QoS policy for traffic prioritization and bandwidth reservation. This policy must enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies.

An example QOS configuration follows.

Define an input policy to classify traffic on ingress:
!
class-map type qos 6Q_BestEffort_dscp
 match ip-any dscp 0
!
class-map type qos 6Q_NetworkControl_dscp
 match ip-any dscp 48
!
class-map type qos 6Q_PreferData_dscp
 match ip-any dscp 16
!
class-map type qos 6Q_Scavenger_dscp
 match ip-any dscp 8
!
class-map type qos 6Q_Video_dscp
 match ip-any dscp 38
!
class-map type qos 6Q_Voice_dscp
 match ip-any dscp 49
!
class-map type queuing 6Q_BestEffort
 match queue 1
!
class-map type queuing 6Q_NetworkControl
 match queue 5
!
class-map type queuing 6Q_PreferData
 match queue 2
!
class-map type queuing 6Q_Scavenger
 match queue 0
!
class-map type queuing 6Q_Video
 match queue 3
!
class-map type queuing 6Q_Voice
 match queue 4
!
policy-map type qos 6Q_PolicyMapIn_dscp
!
 class 6Q_Scavenger_dscp
  set qos-group 0
 !
 class 6Q_BestEffort_dscp
  set qos-group 1
 !
 class 6Q_PreferData_dscp
  set qos-group 2
 !
 class 6Q_Video_dscp
  set qos-group 3
 !
 class 6Q_Voice_dscp
  set qos-group 4
 !
 class 6Q_Voice_dscp_15
  set qos-group 4
  set dscp 45
 !
 class 6Q_NetworkControl_dscp
  set qos-group 5
  
Define an output policy to configure class-specific traffic shaping on egress.

!
policy-map type queuing 6Q_PolicyMapOut_100G
!
 class 6Q_Scavenger
  bandwidth percent 10
  shape min mbps 10000 max mbps 10000
 !
 class 6Q_BestEffort
  bandwidth percent 20
 !
 class 6Q_NetworkControl
  bandwidth percent 5
  shape min mbps 5000 max mbps 5000
 !
 class 6Q_PreferData
  bandwidth percent 30
  shape min mbps 30000 max mbps 30000
 !
 class 6Q_Video
  bandwidth percent 15
  shape min mbps 15000 max mbps 15000
 !
 class 6Q_Voice
  bandwidth percent 20
  shape min mbps 20000 max mbps 20000
 !
 
Apply input and output policies to physical interfaces.

!
interface ethernet1/1/1
  ...
  ...
  service-policy input type qos 6Q_PolicyMapIn_dscp
  service-policy output type queuing 6Q_PolicyMapOut_100G
!

The Dell OS10 Switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

Description

Remediation Templates

A Manual Procedure