The A10 Networks ADC must enable DDoS filters.

An XCCDF Rule

Description

<VulnDiscussion>If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume, type, or protocol usage. Detection components that use signatures can detect known attacks by using known attack signatures. Signatures are usually obtained from and updated by the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-237051r639600_rule
Severity: Medium
References: CCI-002385
Updated: about 1 year ago

The following commands configure DDoS filters:
ip anomaly-drop ip-option
ip anomaly-drop land-attack
ip anomaly-drop ping-of-death
ip anomaly-drop frag
ip anomaly-drop tcp-no-flagip anomaly-drop tcp-syn-fin
ip anomaly-drop tcp-syn-frag
ip anomaly-drop out-of-sequence [threshold]
ip anomaly-drop ping-of-death
ip anomaly-drop zero-window [threshold]
ip anomaly-drop bad-content

Note: Thresholds are specific to the expected traffic for the system or enclave.

The A10 Networks ADC must enable DDoS filters.

Description

Remediation - Manual Procedure