800-53|SC-5(2)

Title

EXCESS CAPACITY / BANDWIDTH / REDUNDANCY

Description

The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks.

Supplemental

Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: DENIAL OF SERVICE PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.1.2 Configure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain	Windows	CIS Windows 8 L1 v1.0.0
3.123 - Auditing Access of Global System Objects must be turned off.	Windows	DISA Windows Vista STIG v6r41
3.124 - Audit of Backup and Restore Privileges is not turned off.	Windows	DISA Windows Vista STIG v6r41
5.2 SnapMirror - 'replication.throttle.enable = on'	NetApp	TNS NetApp Data ONTAP 7G
5.2 SnapMirror - 'replication.throttle.incoming.max_kbs has been configured'	NetApp	TNS NetApp Data ONTAP 7G
5.2 SnapMirror - 'replication.throttle.outgoing.max_kbs has been configured'	NetApp	TNS NetApp Data ONTAP 7G
AIX7-00-003096 - AIX must set Stack Execution Disable (SED) system wide mode to all.	Unix	DISA STIG AIX 7.x v3r1
Big Sur - Limit Impact of Denial of Service Attacks	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
CASA-FW-000150 - The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.	Cisco	DISA STIG Cisco ASA FW v2r1
Catalina - Limit Impact of Denial of Service Attacks	Unix	NIST macOS Catalina v1.5.0 - All Profiles
CISC-L2-000040 - The Cisco switch must manage excess bandwidth to limit the effects of packet-flooding types of denial-of-service (DoS) attacks.	Cisco	DISA STIG Cisco IOS Switch L2S v3r1
CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.	Cisco	DISA STIG Cisco IOS-XR Router RTR v3r2
CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.	Cisco	DISA STIG Cisco IOS XE Router RTR v3r2
CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.	Cisco	DISA STIG Cisco IOS Router RTR v3r2
CISC-RT-000610 - The MPLS switch with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core switches.	Cisco	DISA STIG Cisco IOS XE Switch RTR v3r1
CISC-RT-000700 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.	Cisco	DISA STIG Cisco NX-OS Switch RTR v3r2
DKER-EE-002770 - Docker Enterprise container health must be checked at runtime.	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix v2r2
EX13-EG-000105 - Exchange Global Outbound Message size must be controlled.	Windows	DISA Microsoft Exchange 2013 Edge Transport Server STIG v1r6
EX13-EG-000140 - Exchange Receive connectors must be clearly named.	Windows	DISA Microsoft Exchange 2013 Edge Transport Server STIG v1r6
EX13-EG-000145 - Exchange Receive connectors must control the number of recipients chunked on a single message.	Windows	DISA Microsoft Exchange 2013 Edge Transport Server STIG v1r6
EX13-MB-000185 - Exchange Receive connectors must be clearly named.	Windows	DISA Microsoft Exchange 2013 Mailbox Server STIG v2r3
EX13-MB-000215 - The Exchange global inbound message size must be controlled.	Windows	DISA Microsoft Exchange 2013 Mailbox Server STIG v2r3
EX13-MB-000220 - The Exchange global outbound message size must be controlled.	Windows	DISA Microsoft Exchange 2013 Mailbox Server STIG v2r3
EX16-ED-000260 - Exchange Send connectors must be clearly named.	Windows	DISA Microsoft Exchange 2016 Edge Transport Server STIG v2r5
EX16-ED-000290 - Exchange Receive connectors must control the number of recipients chunked on a single message.	Windows	DISA Microsoft Exchange 2016 Edge Transport Server STIG v2r5
EX19-ED-000117 - Exchange receive connectors must be clearly named.	Windows	DISA Microsoft Exchange 2019 Edge Server STIG v2r1
EX19-ED-000118 - Exchange receive connectors must control the number of recipients chunked on a single message.	Windows	DISA Microsoft Exchange 2019 Edge Server STIG v2r1
GEN003612 - The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.	Unix	DISA STIG for Oracle Linux 5 v2r1
MaxClients parameter value should be configured to appropriate value.	Windows	TNS IBM HTTP Server Best Practice
MaxKeepAliveRequests parameter value should be appropriately configured.	Windows	TNS IBM HTTP Server Best Practice
MaxSpareServers parameter value should be appropriately configured.	Windows	TNS IBM HTTP Server Best Practice
MinSpareServers parameter value should be appropriately configured.	Windows	TNS IBM HTTP Server Best Practice
Monterey - Limit Impact of Denial of Service Attacks	Unix	NIST macOS Monterey v1.0.0 - All Profiles
OpenStack Identity - max_request_body_size set to default	Unix	TNS OpenStack Keystone/Identity Security Guide
PHTN-30-000036 - The Photon operating system must use Transmission Control Protocol (TCP) syncookies.	Unix	DISA STIG VMware vSphere 7.0 Photon OS v1r3
PHTN-67-000037 - The Photon operating system must use TCP syncookies.	Unix	DISA STIG VMware vSphere 6.7 Photon OS v1r6
StartServers parameter value should be appropriately configured.	Windows	TNS IBM HTTP Server Best Practice
WN12-SO-000007 - Auditing the Access of Global System Objects must be turned off.	Windows	DISA Windows Server 2012 and 2012 R2 DC STIG v3r7
WN12-SO-000007 - Auditing the Access of Global System Objects must be turned off.	Windows	DISA Windows Server 2012 and 2012 R2 MS STIG v3r7
WN12-SO-000008 - Auditing of Backup and Restore Privileges must be turned off.	Windows	DISA Windows Server 2012 and 2012 R2 MS STIG v3r7
WN12-SO-000008 - Auditing of Backup and Restore Privileges must be turned off.	Windows	DISA Windows Server 2012 and 2012 R2 DC STIG v3r7

Detections

Analytics