800-53|SC-5(2)

Title

EXCESS CAPACITY / BANDWIDTH / REDUNDANCY

Description

The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks.

Supplemental

Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: DENIAL OF SERVICE PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.1.2 Configure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain	Windows	CIS Windows 8 L1 v1.0.0
3.123 - Auditing Access of Global System Objects must be turned off.	Windows	DISA Windows Vista STIG v6r41
3.124 - Audit of Backup and Restore Privileges is not turned off.	Windows	DISA Windows Vista STIG v6r41
5.2 SnapMirror - 'replication.throttle.enable = on'	NetApp	TNS NetApp Data ONTAP 7G
5.2 SnapMirror - 'replication.throttle.incoming.max_kbs has been configured'	NetApp	TNS NetApp Data ONTAP 7G
5.2 SnapMirror - 'replication.throttle.outgoing.max_kbs has been configured'	NetApp	TNS NetApp Data ONTAP 7G
AIX7-00-003096 - AIX must set Stack Execution Disable (SED) system wide mode to all.	Unix	DISA STIG AIX 7.x v2r9
AMLS-L3-000270 - The Arista Multilayer Switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks - DoS attacks.	Arista	DISA STIG Arista MLS DCS-7000 Series RTR v1r4
ARST-L2-000030 - The Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks.	Arista	DISA STIG Arista MLS EOS 4.2x L2S v2r1
ARST-RT-000290 - The MPLS router with RSVP-TE enabled must be configured with message pacing or refresh reduction to adjust maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.	Arista	DISA STIG Arista MLS EOS 4.2x Router v2r1
ARST-RT-000300 - The PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.	Arista	DISA STIG Arista MLS EOS 4.2x Router v2r1
ARST-RT-000310 - The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.	Arista	DISA STIG Arista MLS EOS 4.2x Router v2r1
ARST-RT-000320 - The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.	Arista	DISA STIG Arista MLS EOS 4.2x Router v2r1
Big Sur - Limit Impact of Denial of Service Attacks	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.	Unix	DISA BIND 9.x STIG v2r3
CASA-FW-000150 - The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.	Cisco	DISA STIG Cisco ASA FW v2r1
Catalina - Limit Impact of Denial of Service Attacks	Unix	NIST macOS Catalina v1.5.0 - All Profiles
CISC-L2-000040 - The Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks - DoS attacks.	Cisco	DISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000040 - The Cisco switch must manage excess bandwidth to limit the effects of packet-flooding types of denial-of-service (DoS) attacks.	Cisco	DISA STIG Cisco IOS Switch L2S v3r1
CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.	Cisco	DISA STIG Cisco IOS-XR Router RTR v3r1
CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.	Cisco	DISA STIG Cisco IOS Router RTR v3r1
CISC-RT-000610 - The MPLS router with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core routers.	Cisco	DISA STIG Cisco IOS XE Router RTR v3r1
CISC-RT-000610 - The MPLS switch with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core switches.	Cisco	DISA STIG Cisco NX-OS Switch RTR v3r1
CISC-RT-000610 - The MPLS switch with RSVP-TE enabled must be configured with message pacing to adjust maximum burst and maximum number of RSVP messages to an output queue based on the link speed and input queue size of adjacent core switches.	Cisco	DISA STIG Cisco IOS XE Switch RTR v3r1
CISC-RT-000700 - The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.	Cisco	DISA STIG Cisco IOS-XR Router RTR v3r1
CISC-RT-000700 - The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.	Cisco	DISA STIG Cisco IOS XE Router RTR v3r1
CISC-RT-000700 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.	Cisco	DISA STIG Cisco IOS XE Switch RTR v3r1
CISC-RT-000700 - The Cisco PE switch providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.	Cisco	DISA STIG Cisco NX-OS Switch RTR v3r1
CISC-RT-000760 - The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications - QoS policy in accordance with the QoS DODIN Technical Profile.	Cisco	DISA STIG Cisco IOS Router RTR v3r1
CISC-RT-000760 - The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications - QoS policy in accordance with the QoS DODIN Technical Profile.	Cisco	DISA STIG Cisco IOS-XR Router RTR v3r1
CISC-RT-000760 - The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.	Cisco	DISA STIG Cisco IOS XE Router RTR v3r1
CISC-RT-000760 - The Cisco PE switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.	Cisco	DISA STIG Cisco IOS XE Switch RTR v3r1
CISC-RT-000760 - The Cisco PE switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.	Cisco	DISA STIG Cisco NX-OS Switch RTR v3r1
CISC-RT-000760 - The Cisco PE switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.	Cisco	DISA STIG Cisco IOS Switch RTR v3r1
CISC-RT-000770 - The Cisco P router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications - QoS policy in accordance with the QoS DODIN Technical Profile.	Cisco	DISA STIG Cisco IOS-XR Router RTR v3r1
CISC-RT-000770 - The Cisco P router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications - QoS policy in accordance with the QoS DODIN Technical Profile.	Cisco	DISA STIG Cisco IOS Router RTR v3r1
CISC-RT-000770 - The Cisco P router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.	Cisco	DISA STIG Cisco IOS XE Router RTR v3r1
CISC-RT-000770 - The Cisco P switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.	Cisco	DISA STIG Cisco IOS Switch RTR v3r1
CISC-RT-000770 - The Cisco P switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.	Cisco	DISA STIG Cisco IOS XE Switch RTR v3r1
CISC-RT-000770 - The Cisco P switch must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications.	Cisco	DISA STIG Cisco NX-OS Switch RTR v3r1
CISC-RT-000780 - The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.	Cisco	DISA STIG Cisco IOS XE Router RTR v3r1
CISC-RT-000780 - The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks - DoS attacks.	Cisco	DISA STIG Cisco IOS Router RTR v3r1
CISC-RT-000780 - The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks - DoS attacks.	Cisco	DISA STIG Cisco IOS-XR Router RTR v3r1
CISC-RT-000780 - The Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.	Cisco	DISA STIG Cisco IOS XE Switch RTR v3r1
CISC-RT-000780 - The Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.	Cisco	DISA STIG Cisco IOS Switch RTR v3r1
CISC-RT-000780 - The Cisco switch must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.	Cisco	DISA STIG Cisco NX-OS Switch RTR v3r1
DKER-EE-001170 - A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r2
DKER-EE-001180 - A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set - repositoryAccess	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix DTR v2r2
DKER-EE-001180 - A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set - team member access	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r2
DKER-EE-002770 - Docker Enterprise container health must be checked at runtime.	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix v2r2

Detections

Analytics