JUEX-RT-000340 - The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

Information

DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets.

Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, QoS, or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Implement a mechanism for traffic prioritization and bandwidth reservation. This mechanism must enforce the traffic priorities specified by the Combatant Commands/Services/Agencies.

set class-of-service classifiers dscp <classifier name> forwarding-class NC loss-priority low code-points 110000
set class-of-service classifiers dscp <classifier name> forwarding-class EF loss-priority high code-points 101101
set class-of-service classifiers dscp <classifier name> forwarding-class EF loss-priority high code-points 101111
set class-of-service classifiers dscp <classifier name> forwarding-class EF loss-priority high code-points 100101
set class-of-service classifiers dscp <classifier name> forwarding-class EF loss-priority high code-points 100111
set class-of-service classifiers dscp <classifier name> forwarding-class EF loss-priority high code-points 110011
set class-of-service classifiers dscp <classifier name> forwarding-class EF loss-priority low code-points 101000
set class-of-service classifiers dscp <classifier name> forwarding-class EF loss-priority low code-points 100000
set class-of-service classifiers dscp <classifier name> forwarding-class EF loss-priority low code-points 101001
set class-of-service classifiers dscp <classifier name> forwarding-class EF loss-priority low code-points 101011
set class-of-service classifiers dscp <classifier name> forwarding-class EF loss-priority low code-points 100001
set class-of-service classifiers dscp <classifier name> forwarding-class EF loss-priority low code-points 100011
set class-of-service classifiers dscp <classifier name> forwarding-class EF loss-priority low code-points 110001
set class-of-service classifiers dscp <classifier name> forwarding-class AF41 loss-priority high code-points 100010
set class-of-service classifiers dscp <classifier name> forwarding-class AF41 loss-priority high code-points 100100
set class-of-service classifiers dscp <classifier name> forwarding-class AF41 loss-priority high code-points 100110
set class-of-service classifiers dscp <classifier name> forwarding-class AF41 loss-priority low code-points 011000
set class-of-service classifiers dscp <classifier name> forwarding-class AF41 loss-priority low code-points 101110
set class-of-service classifiers dscp <classifier name> forwarding-class AF41 loss-priority low code-points 011100
set class-of-service classifiers dscp <classifier name> forwarding-class AF41 loss-priority low code-points 011110
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority high code-points 011101
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority high code-points 011111
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority high code-points 011010
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority high code-points 010101
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority high code-points 010111
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority high code-points 010010
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority high code-points 001101
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority high code-points 001010
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority high code-points 010000
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority low code-points 001001
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority low code-points 001011
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority low code-points 010001
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority low code-points 010011
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority low code-points 011001
set class-of-service classifiers dscp <classifier name> forwarding-class AF31 loss-priority low code-points 011011
set class-of-service classifiers dscp <classifier name> forwarding-class BE loss-priority high code-points 000000
set class-of-service classifiers dscp <classifier name> forwarding-class Default loss-priority high code-points 001000
set class-of-service classifiers dscp <classifier name> forwarding-class dscp15 loss-priority high code-points 001111
Note: Some platforms apply DSCP values to both IPv4 and IPv6 traffic with a single classifier definition (as shown). Those platforms that support separating classifiers will require a 'dscp-ipv6' stanza.

set class-of-service host-outbound-traffic forwarding-class NC
set class-of-service host-outbound-traffic dscp-code-point 110000
set class-of-service shared-buffer ingress percent 50
set class-of-service shared-buffer ingress buffer-partition lossless percent 5
set class-of-service shared-buffer ingress buffer-partition lossless-headroom percent 0
set class-of-service shared-buffer ingress buffer-partition lossy percent 95
set class-of-service shared-buffer egress percent 100
set class-of-service shared-buffer egress buffer-partition lossless percent 50
set class-of-service shared-buffer egress buffer-partition lossy percent 45
set class-of-service shared-buffer egress buffer-partition multicast percent 5
Note: Some platforms only support shared-buffer percent, and cannot separate between ingress and egress. Not all devices require a shared-buffer stanza.

set class-of-service forwarding-classes class NC queue-num 7
set class-of-service forwarding-classes class EF queue-num 6
set class-of-service forwarding-classes class AF41 queue-num 5
set class-of-service forwarding-classes class AF31 queue-num 4
set class-of-service forwarding-classes class BE queue-num 0
set class-of-service forwarding-classes class Default queue-num 1
set class-of-service forwarding-classes class dscp15 queue-num 6

set class-of-service traffic-control-profiles <control profile name 1> scheduler-map <scheduler map name 1>
set class-of-service traffic-control-profiles <control profile name 1> shaping-rate percent 100
set class-of-service traffic-control-profiles <control profile name 2> scheduler-map <scheduler map name 2>
set class-of-service traffic-control-profiles <control profile name 2> guaranteed-rate percent 20

set class-of-service forwarding-class-sets <set name 1> class NC
set class-of-service forwarding-class-sets <set name 1> class EF
set class-of-service forwarding-class-sets <set name 1> class AF41
set class-of-service forwarding-class-sets <set name 1> class AF31
set class-of-service forwarding-class-sets <set name 1> class Default
set class-of-service forwarding-class-sets <set name 1> class dscp15
set class-of-service forwarding-class-sets <set name 2> class BE

set class-of-service interfaces <interface name> forwarding-class-set <set name 1> output-traffic-control-profile <control profile name 1>
set class-of-service interfaces <interface name> forwarding-class-set <set name 2> output-traffic-control-profile <control profile name 2>
set class-of-service interfaces <interface name> classifiers dscp <classifier name>
set class-of-service interfaces <interface name> rewrite-rules dscp <rewrite rule name>

set class-of-service rewrite-rules dscp <rewrite rule name> forwarding-class dscp15 loss-priority high code-point 101101
set class-of-service rewrite-rules dscp <rewrite rule name> forwarding-class EF loss-priority low code-point 110001
set class-of-service rewrite-rules dscp <rewrite rule name> forwarding-class AF41 loss-priority high code-point 100110
set class-of-service rewrite-rules dscp <rewrite rule name> forwarding-class NC loss-priority low code-point 110000
set class-of-service rewrite-rules dscp <rewrite rule name> forwarding-class AF31 loss-priority high code-point 010000
set class-of-service rewrite-rules dscp <rewrite rule name> forwarding-class Default loss-priority high code-point 001000

set class-of-service scheduler-maps <scheduler map name 1> forwarding-class NC scheduler NC
set class-of-service scheduler-maps <scheduler map name 1> forwarding-class EF scheduler EF
set class-of-service scheduler-maps <scheduler map name 1> forwarding-class AF41 scheduler AF41
set class-of-service scheduler-maps <scheduler map name 1> forwarding-class AF31 scheduler AF31
set class-of-service scheduler-maps <scheduler map name 1> forwarding-class Default scheduler Default
set class-of-service scheduler-maps <scheduler map name 2> forwarding-class BE scheduler BE

set class-of-service schedulers NC buffer-size percent 5
set class-of-service schedulers NC priority strict-high
set class-of-service schedulers EF shaping-rate percent 20
set class-of-service schedulers EF buffer-size percent 19
set class-of-service schedulers EF priority strict-high
set class-of-service schedulers AF41 shaping-rate percent 15
set class-of-service schedulers AF41 buffer-size percent 14
set class-of-service schedulers AF41 priority strict-high
set class-of-service schedulers AF31 shaping-rate percent 31
set class-of-service schedulers AF31 buffer-size percent 29
set class-of-service schedulers AF31 priority strict-high
set class-of-service schedulers BE transmit-rate percent 20
set class-of-service schedulers BE buffer-size percent 20
set class-of-service schedulers BE priority low
set class-of-service schedulers Default shaping-rate percent 10
set class-of-service schedulers Default buffer-size percent 9
set class-of-service schedulers Default priority strict-high

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5(2), CAT|II, CCI|CCI-001095, CCI|CCI-004866, Rule-ID|SV-254006r997521_rule, STIG-ID|JUEX-RT-000340, Vuln-ID|V-254006

Plugin: Juniper

Control ID: e4859bde0781ad76ea85d98ec7c812630d6c1196447dfcbb6b35a66b629603a7