Detections
Analytics

OS10-RTR-000340 - The PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

Information

DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets.

Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, QoS, or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).

Satisfies: SRG-NET-000193-RTR-000112, SRG-NET-000193-RTR-000113, SRG-NET-000193-RTR-000114

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Implement a mechanism for traffic prioritization and bandwidth reservation. This mechanism must enforce the traffic priorities specified by the Combatant Commands/Services/Agencies.

Step 1: Configure QoS class-maps to match on DSCP values as shown in the configuration example below:

OS10(config)# class-map type qos 6Q_BestEffort_dscp
OS10(config-cmap-qos)# match ip-any dscp 0
OS10(config-cmap-qos)# !
OS10(config-cmap-qos)# class-map type qos 6Q_NetworkControl_dscp
OS10(config-cmap-qos)# match ip-any dscp 48
OS10(config-cmap-qos)# !
OS10(config-cmap-qos)# class-map type qos 6Q_PreferData_dscp
OS10(config-cmap-qos)# match ip-any dscp 16
OS10(config-cmap-qos)# !
OS10(config-cmap-qos)# class-map type qos 6Q_Scavenger_dscp
OS10(config-cmap-qos)# match ip-any dscp 8
OS10(config-cmap-qos)# !
OS10(config-cmap-qos)# class-map type qos 6Q_Video_dscp
OS10(config-cmap-qos)# match ip-any dscp 38
OS10(config-cmap-qos)# !
OS10(config-cmap-qos)# class-map type qos 6Q_Voice_dscp
OS10(config-cmap-qos)# match ip-any dscp 49
OS10(config-cmap-qos)# !
OS10(config-cmap-qos)# class-map type qos 6Q_Voice_dscp_15
OS10(config-cmap-qos)# match ip-any dscp 15
OS10(config-cmap-qos)# !
OS10(config-cmap-qos)# exit
OS10(config)#

Step 2: Configure policy-maps to map traffic qos classes to qos-groups.

OS10(config)# policy-map type qos 6Q_PolicyMapIn_dscp
OS10(config-pmap-qos)# !
OS10(config-pmap-qos)# class 6Q_Scavenger_dscp
OS10(config-pmap-c-qos)# set qos-group 0
OS10(config-pmap-c-qos)# !
OS10(config-pmap-c-qos)# class 6Q_BestEffort_dscp
OS10(config-pmap-c-qos)# set qos-group 1
OS10(config-pmap-c-qos)# !
OS10(config-pmap-c-qos)# class 6Q_PreferData_dscp
OS10(config-pmap-c-qos)# set qos-group 2
OS10(config-pmap-c-qos)# !
OS10(config-pmap-c-qos)# class 6Q_Video_dscp
OS10(config-pmap-c-qos)# set qos-group 3
OS10(config-pmap-c-qos)# !
OS10(config-pmap-c-qos)# class 6Q_Voice_dscp
OS10(config-pmap-c-qos)# set qos-group 4
OS10(config-pmap-c-qos)# !
OS10(config-pmap-c-qos)# class 6Q_Voice_dscp_15
OS10(config-pmap-c-qos)# set qos-group 4
OS10(config-pmap-c-qos)# set dscp 45
OS10(config-pmap-c-qos)# !
OS10(config-pmap-c-qos)# class 6Q_NetworkControl_dscp
OS10(config-pmap-c-qos)# set qos-group 5
OS10(config-pmap-c-qos)# !
OS10(config-pmap-c-qos)# exit
OS10(config-pmap-qos)# exit

Step 3: Configure queuing class-maps as shown in the configuration example below:

OS10(config)# class-map type queuing 6Q_Scavenger
OS10(config-cmap-queuing)# match queue 0
OS10(config-cmap-queuing)# !
OS10(config-cmap-queuing)# class-map type queuing 6Q_BestEffort
OS10(config-cmap-queuing)# match queue 1
OS10(config-cmap-queuing)# !
OS10(config-cmap-queuing)# class-map type queuing 6Q_PreferData
OS10(config-cmap-queuing)# match queue 2
OS10(config-cmap-queuing)# !
OS10(config-cmap-queuing)# class-map type queuing 6Q_Video
OS10(config-cmap-queuing)# match queue 3
OS10(config-cmap-queuing)# !
OS10(config-cmap-queuing)# class-map type queuing 6Q_Voice
OS10(config-cmap-queuing)# match queue 4
OS10(config-cmap-queuing)# !
OS10(config-cmap-queuing)# class-map type queuing 6Q_NetworkControl
OS10(config-cmap-queuing)# match queue 5
OS10(config-cmap-queuing)# !
OS10(config-cmap-queuing)# exit
OS10(config)#

Step 4: Configure policy maps to preserve bandwidth for each queue.

OS10(config-pmap-qos)#
OS10(config-pmap-qos)# policy-map type queuing 6Q_PolicyMapOut_100G
OS10(config-pmap-queuing)# !
OS10(config-pmap-queuing)# class 6Q_Scavenger
OS10(config-pmap-c-que)# bandwidth percent 10
OS10(config-pmap-c-que)# shape min mbps 10000 max mbps 10000
OS10(config-pmap-c-que)# !
OS10(config-pmap-c-que)# class 6Q_BestEffort
OS10(config-pmap-c-que)# bandwidth percent 20
OS10(config-pmap-c-que)# !
OS10(config-pmap-c-que)# class 6Q_NetworkControl
OS10(config-pmap-c-que)# bandwidth percent 5
OS10(config-pmap-c-que)# shape min mbps 5000 max mbps 5000
OS10(config-pmap-c-que)# !
OS10(config-pmap-c-que)# class 6Q_PreferData
OS10(config-pmap-c-que)# bandwidth percent 30
OS10(config-pmap-c-que)# shape min mbps 30000 max mbps 30000
OS10(config-pmap-c-que)# !
OS10(config-pmap-c-que)# class 6Q_Video
OS10(config-pmap-c-que)# bandwidth percent 15
OS10(config-pmap-c-que)# shape min mbps 15000 max mbps 15000
OS10(config-pmap-c-que)# !
OS10(config-pmap-c-que)# class 6Q_Voice
OS10(config-pmap-c-que)# bandwidth percent 20
OS10(config-pmap-c-que)# shape min mbps 20000 max mbps 20000
OS10(config-pmap-c-que)# !

Step 5: Apply the input and output service policy to all interfaces as shown in the configuration example below:

OS10(config)# interface ethernet 1/1/2
OS10(conf-if-eth1/1/2)# service-policy input type qos 6Q_PolicyMapIn_dscp
OS10(conf-if-eth1/1/2)# service-policy output type queuing 6Q_PolicyMapOut_100G

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Dell_OS10_Switch_Y24M12_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5(2), CAT|II, CCI|CCI-001095, Rule-ID|SV-269870r1052434_rule, STIG-ID|OS10-RTR-000340, Vuln-ID|V-269870

Plugin: Dell_OS10

Control ID: e3773473f541a1890bdfe7f938ec6d771f5938570a9590a5e83d200be08e7009