The NSX Distributed Firewall must limit the effects of packet flooding types of denial-of-service (DoS) attacks.
An XCCDF Rule
Description
A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and will eventually black hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood-type" DoS attacks through increased capacity. Satisfies: SRG-NET-000193-FW-000030, SRG-NET-000192-FW-000029, SRG-NET-000362-FW-000028
- ID
- SV-265618r993951_rule
- Version
- NDFW-4X-000015
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
To create a new Flood Protection profile:
From the NSX Manager web interface, navigate to Security >> Settings >> General Settings >> Firewall >> Flood Protection >> Add Profile >> Add Firewall Profile.
Enter a name and specify appropriate values for the following: TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit.
Enable SYN Cache and RST Spoofing, configure the "Applied To" field with the appropriate security groups, and click "Save".