The SDN controller must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by rate-limiting control-plane communications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-206726	SRG-NET-000362-SDN-000720	SV-206726r856676_rule		Medium

Description

The SDN Controller is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control-plane processes. It is also instrumental with network management and provisioning functions that keep the SDN-enabled network elements and links available for providing network services. Any disruption to the SDN Controller can result in mission-critical network outages. A DoS attack targeting the SDN Controller can result in excessive CPU and memory utilization. The SDN Controller must be configured to rate-limit control-plane traffic destined to itself to mitigate the risk of a DoS attack and ensure network stability.

STIG	Date
SDN Controller Security Requirements Guide	2024-05-28

Details

Check Text (C-6983r363116_chk)

Review the SDN controller configuration to determine if it is configured to rate-limit control-plane messages.

If the SDN controller is not configured to rate-limit control-plane messages, this is a finding.

Fix Text (F-6983r363117_fix)

Configure the SDN controller to rate-limit control-plane messages.