The PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269870 | OS10-RTR-000340 | SV-269870r1052434_rule | Medium |
| Description |
| DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, QoS, or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages). Satisfies: SRG-NET-000193-RTR-000112, SRG-NET-000193-RTR-000113, SRG-NET-000193-RTR-000114 |
| STIG | Date |
| Dell OS10 Switch Router Security Technical Implementation Guide | 2024-12-11 |
Details
| Check Text (C-73903r1052434_chk) |
| Review the router configuration and interview the system administrator to verify that a mechanism for traffic prioritization and bandwidth reservation exists. Verify the class-maps are configured to match on DSCP, protocols, or access control lists (ACLs) that identify traffic types based on ports. ! class-map type qos 6Q_BestEffort_dscp match ip-any dscp 0 ! class-map type qos 6Q_NetworkControl_dscp match ip-any dscp 48 ! class-map type qos 6Q_PreferData_dscp match ip-any dscp 16 ! class-map type qos 6Q_Scavenger_dscp match ip-any dscp 8 ! class-map type qos 6Q_Video_dscp match ip-any dscp 38 ! class-map type qos 6Q_Voice_dscp match ip-any dscp 49 ! class-map type qos 6Q_Voice_dscp_15 match ip-any dscp 15 ! class-map type queuing 6Q_BestEffort match queue 1 ! class-map type queuing 6Q_NetworkControl match queue 5 ! class-map type queuing 6Q_PreferData match queue 2 ! class-map type queuing 6Q_Scavenger match queue 0 ! class-map type queuing 6Q_Unused_6 match queue 6 ! class-map type queuing 6Q_Unused_7 match queue 7 ! class-map type queuing 6Q_Video match queue 3 ! class-map type queuing 6Q_Voice match queue 4 ! policy-map type qos 6Q_PolicyMapIn_dscp ! class 6Q_Scavenger_dscp set qos-group 0 ! class 6Q_BestEffort_dscp set qos-group 1 ! class 6Q_PreferData_dscp set qos-group 2 ! class 6Q_Video_dscp set qos-group 3 ! class 6Q_Voice_dscp set qos-group 4 ! class 6Q_Voice_dscp_15 set qos-group 4 set dscp 45 ! class 6Q_NetworkControl_dscp set qos-group 5 ! policy-map type queuing 6Q_PolicyMapOut_100G ! class 6Q_Scavenger bandwidth percent 10 shape min mbps 10000 max mbps 10000 ! class 6Q_BestEffort bandwidth percent 18 ! class 6Q_NetworkControl bandwidth percent 5 shape min mbps 5000 max mbps 5000 ! class 6Q_PreferData bandwidth percent 30 shape min mbps 30000 max mbps 30000 ! class 6Q_Unused_6 bandwidth percent 1 ! class 6Q_Unused_7 bandwidth percent 1 ! class 6Q_Video bandwidth percent 15 shape min mbps 15000 max mbps 15000 ! class 6Q_Voice bandwidth percent 20 shape min mbps 20000 max mbps 20000 ! Verify the policy-map is configured to set DSCP values for the defined class-maps in accordance with the QoS GIG Technical Profile. policy-map type qos 6Q_PolicyMapIn_dscp ! class 6Q_Scavenger_dscp set qos-group 0 ! class 6Q_BestEffort_dscp set qos-group 1 ! class 6Q_PreferData_dscp set qos-group 2 ! class 6Q_Video_dscp set qos-group 3 ! class 6Q_Voice_dscp set qos-group 4 ! class 6Q_Voice_dscp_15 set qos-group 4 set dscp 45 ! class 6Q_NetworkControl_dscp set qos-group 5 ! policy-map type queuing 6Q_PolicyMapOut_100G ! class 6Q_Scavenger bandwidth percent 10 shape min mbps 10000 max mbps 10000 ! class 6Q_BestEffort bandwidth percent 18 ! class 6Q_NetworkControl bandwidth percent 5 shape min mbps 5000 max mbps 5000 ! class 6Q_PreferData bandwidth percent 30 shape min mbps 30000 max mbps 30000 ! class 6Q_Unused_6 bandwidth percent 1 ! class 6Q_Unused_7 bandwidth percent 1 ! class 6Q_Video bandwidth percent 15 shape min mbps 15000 max mbps 15000 ! class 6Q_Voice bandwidth percent 20 shape min mbps 20000 max mbps 20000 ! Verify that input and output service policies are bound to the appropriate interfaces. ! interface ethernet1/1/2 service-policy input type qos 6Q_PolicyMapIn_dscp service-policy output type queuing 6Q_PolicyMapOut_100G ! Note: The GTP QOS document (GTP-0009) can be downloaded via the following link: https://intellipedia.intelink.gov/wiki/Portal:GIG_Technical_Guidance/GTG_GTPs/GTP_Development_List If the router is not configured to implement a QoS policy in accordance with the QoS GIG Technical Profile, this is a finding. |
| Fix Text (F-73804r1051994_fix) |
| Implement a mechanism for traffic prioritization and bandwidth reservation. This mechanism must enforce the traffic priorities specified by the Combatant Commands/Services/Agencies. Step 1: Configure QoS class-maps to match on DSCP values as shown in the configuration example below: OS10(config)# class-map type qos 6Q_BestEffort_dscp OS10(config-cmap-qos)# match ip-any dscp 0 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# class-map type qos 6Q_NetworkControl_dscp OS10(config-cmap-qos)# match ip-any dscp 48 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# class-map type qos 6Q_PreferData_dscp OS10(config-cmap-qos)# match ip-any dscp 16 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# class-map type qos 6Q_Scavenger_dscp OS10(config-cmap-qos)# match ip-any dscp 8 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# class-map type qos 6Q_Video_dscp OS10(config-cmap-qos)# match ip-any dscp 38 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# class-map type qos 6Q_Voice_dscp OS10(config-cmap-qos)# match ip-any dscp 49 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# class-map type qos 6Q_Voice_dscp_15 OS10(config-cmap-qos)# match ip-any dscp 15 OS10(config-cmap-qos)# ! OS10(config-cmap-qos)# exit OS10(config)# Step 2: Configure policy-maps to map traffic qos classes to qos-groups. OS10(config)# policy-map type qos 6Q_PolicyMapIn_dscp OS10(config-pmap-qos)# ! OS10(config-pmap-qos)# class 6Q_Scavenger_dscp OS10(config-pmap-c-qos)# set qos-group 0 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# class 6Q_BestEffort_dscp OS10(config-pmap-c-qos)# set qos-group 1 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# class 6Q_PreferData_dscp OS10(config-pmap-c-qos)# set qos-group 2 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# class 6Q_Video_dscp OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# class 6Q_Voice_dscp OS10(config-pmap-c-qos)# set qos-group 4 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# class 6Q_Voice_dscp_15 OS10(config-pmap-c-qos)# set qos-group 4 OS10(config-pmap-c-qos)# set dscp 45 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# class 6Q_NetworkControl_dscp OS10(config-pmap-c-qos)# set qos-group 5 OS10(config-pmap-c-qos)# ! OS10(config-pmap-c-qos)# exit OS10(config-pmap-qos)# exit Step 3: Configure queuing class-maps as shown in the configuration example below: OS10(config)# class-map type queuing 6Q_Scavenger OS10(config-cmap-queuing)# match queue 0 OS10(config-cmap-queuing)# ! OS10(config-cmap-queuing)# class-map type queuing 6Q_BestEffort OS10(config-cmap-queuing)# match queue 1 OS10(config-cmap-queuing)# ! OS10(config-cmap-queuing)# class-map type queuing 6Q_PreferData OS10(config-cmap-queuing)# match queue 2 OS10(config-cmap-queuing)# ! OS10(config-cmap-queuing)# class-map type queuing 6Q_Video OS10(config-cmap-queuing)# match queue 3 OS10(config-cmap-queuing)# ! OS10(config-cmap-queuing)# class-map type queuing 6Q_Voice OS10(config-cmap-queuing)# match queue 4 OS10(config-cmap-queuing)# ! OS10(config-cmap-queuing)# class-map type queuing 6Q_NetworkControl OS10(config-cmap-queuing)# match queue 5 OS10(config-cmap-queuing)# ! OS10(config-cmap-queuing)# exit OS10(config)# Step 4: Configure policy maps to preserve bandwidth for each queue. OS10(config-pmap-qos)# OS10(config-pmap-qos)# policy-map type queuing 6Q_PolicyMapOut_100G OS10(config-pmap-queuing)# ! OS10(config-pmap-queuing)# class 6Q_Scavenger OS10(config-pmap-c-que)# bandwidth percent 10 OS10(config-pmap-c-que)# shape min mbps 10000 max mbps 10000 OS10(config-pmap-c-que)# ! OS10(config-pmap-c-que)# class 6Q_BestEffort OS10(config-pmap-c-que)# bandwidth percent 20 OS10(config-pmap-c-que)# ! OS10(config-pmap-c-que)# class 6Q_NetworkControl OS10(config-pmap-c-que)# bandwidth percent 5 OS10(config-pmap-c-que)# shape min mbps 5000 max mbps 5000 OS10(config-pmap-c-que)# ! OS10(config-pmap-c-que)# class 6Q_PreferData OS10(config-pmap-c-que)# bandwidth percent 30 OS10(config-pmap-c-que)# shape min mbps 30000 max mbps 30000 OS10(config-pmap-c-que)# ! OS10(config-pmap-c-que)# class 6Q_Video OS10(config-pmap-c-que)# bandwidth percent 15 OS10(config-pmap-c-que)# shape min mbps 15000 max mbps 15000 OS10(config-pmap-c-que)# ! OS10(config-pmap-c-que)# class 6Q_Voice OS10(config-pmap-c-que)# bandwidth percent 20 OS10(config-pmap-c-que)# shape min mbps 20000 max mbps 20000 OS10(config-pmap-c-que)# ! Step 5: Apply the input and output service policy to all interfaces as shown in the configuration example below: OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# service-policy input type qos 6Q_PolicyMapIn_dscp OS10(conf-if-eth1/1/2)# service-policy output type queuing 6Q_PolicyMapOut_100G |