Audits
Settings
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Theme
Light
Dark
Auto
Help
Plugins
Overview
Plugins Pipeline
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Release Notes
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Policies
Overview
Search
AWS Resources
Azure Resources
GCP Resources
Kubernetes Resources
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Settings
Theme
Light
Dark
Auto
Detections
Plugins
Overview
Plugins Pipeline
Release Notes
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Policies
Overview
Search
AWS Resources
Azure Resources
GCP Resources
Kubernetes Resources
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
Analytics
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Audits
References
CCI
CCI-004866
CCI
CCI|CCI-004866
Title
Employ organization-defined controls by type of denial-of-service to achieve the denial-of-service objective.
Reference Item Details
Reference:
CCI - DISA Control Correlation Identifier
Category:
2024
Audit Items
View all Reference Audit Items
Name
Plugin
Audit Name
ARST-L2-000030 - The Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
Arista
DISA STIG Arista MLS EOS 4.2x L2S v2r1
CASA-FW-000150 - The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.
Cisco
DISA STIG Cisco ASA FW v2r1
CISC-L2-000040 - The Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks - DoS attacks.
Cisco
DISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000040 - The Cisco switch must manage excess bandwidth to limit the effects of packet-flooding types of denial-of-service (DoS) attacks.
Cisco
DISA STIG Cisco IOS Switch L2S v3r1
CISC-RT-000120 - The Cisco router must be configured to protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.
Cisco
DISA STIG Cisco IOS XE Router RTR v3r1
CISC-RT-000120 - The Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
Cisco
DISA STIG Cisco IOS Router RTR v3r1
CISC-RT-000120 - The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
Cisco
DISA STIG Cisco IOS Switch RTR v3r1
CISC-RT-000120 - The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
Cisco
DISA STIG Cisco NX-OS Switch RTR v3r1
CISC-RT-000120 - The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
Cisco
DISA STIG Cisco IOS XE Switch RTR v3r1
JUEX-L2-000040 - The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.
Juniper
DISA Juniper EX Series Layer 2 Switch v2r1
JUEX-RT-000170 - The Juniper perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000340 - The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000380 - The Juniper router must be configured to restrict traffic destined to itself.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000390 - The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000440 - The Juniper PE router must be configured to block any traffic that is destined to IP core infrastructure.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000450 - The Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode, or a firewall filter, enabled on all CE-facing interfaces.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000500 - The Juniper perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000510 - The Juniper perimeter router must be configured to block all packets with any IP options.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000520 - The Juniper PE router must be configured to ignore or block all packets with any IP options.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000590 - The Juniper router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000610 - The Juniper router must be configured to have IP directed broadcast disabled on all interfaces.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000680 - The Juniper multicast RP router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of PIM and MSDP source-active entries.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000720 - The Juniper BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).
Juniper
DISA Juniper EX Series Router v2r1
JUNI-RT-000120 - The Juniper router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection - filter
Juniper
DISA STIG Juniper Router RTR v3r1
JUNI-RT-000120 - The Juniper router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection - policer
Juniper
DISA STIG Juniper Router RTR v3r1
JUSX-AG-000120 - The Juniper SRX Services Gateway Firewall providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by implementing statistics-based screens - DoS attacks by implementing statistics-based screens.
Juniper
DISA Juniper SRX Services Gateway ALG v3r1
JUSX-AG-000121 - The Juniper SRX Services Gateway Firewall must implement load balancing on the perimeter firewall, at a minimum, to limit the effects of known and unknown types of denial-of-service (DoS) attacks on the network - DoS attacks on the network.
Juniper
DISA Juniper SRX Services Gateway ALG v3r1
JUSX-AG-000122 - The Juniper SRX Services Gateway Firewall must protect against known types of denial-of-service (DoS) attacks by implementing signature-based screens - DoS attacks by implementing signature-based screens.
Juniper
DISA Juniper SRX Services Gateway ALG v3r1
JUSX-AG-000124 - The Juniper SRX Services Gateway Firewall must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints - DoS attacks against other networks or endpoints.
Juniper
DISA Juniper SRX Services Gateway ALG v3r1
JUSX-IP-000005 - The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that rules are applied to outbound communications traffic.
Juniper
DISA Juniper SRX Services Gateway IDPS v2r1
JUSX-IP-000006 - The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that signature-based objects are applied to outbound communications traffic.
Juniper
DISA Juniper SRX Services Gateway IDPS v2r1
JUSX-IP-000017 - The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
Juniper
DISA Juniper SRX Services Gateway IDPS v2r1
JUSX-IP-000018 - The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based detection.
Juniper
DISA Juniper SRX Services Gateway IDPS v2r1
JUSX-IP-000019 - The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.
Juniper
DISA Juniper SRX Services Gateway IDPS v2r1
JUSX-VN-000001 - The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number.
Juniper
DISA Juniper SRX Services Gateway VPN v3r1
JUSX-VN-000016 - The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.
Juniper
DISA Juniper SRX Services Gateway VPN v3r1
PANW-AG-000047 - The Palo Alto Networks security platform must protect against the use of internal systems for launching denial-of-service (DoS) attacks against external networks or endpoints - DoS attacks against other networks or endpoints.
Palo_Alto
DISA STIG Palo Alto ALG v3r1
PANW-AG-000049 - The Palo Alto Networks security platform must block phone home traffic.
Palo_Alto
DISA STIG Palo Alto ALG v3r1
PANW-AG-000102 - The Palo Alto Networks security platform must protect against denial-of-service (DoS) attacks from external sources - traffic thresholds.
Palo_Alto
DISA STIG Palo Alto ALG v3r1
PANW-IP-000018 - The Palo Alto Networks security platform must have a denial-of-service (DoS) Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.
Palo_Alto
DISA STIG Palo Alto IDPS v3r1
PANW-IP-000041 - The Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds) - DoS Protection Object
Palo_Alto
DISA STIG Palo Alto IDPS v3r1
PANW-IP-000041 - The Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds) - DoS Protection Policy
Palo_Alto
DISA STIG Palo Alto IDPS v3r1
PANW-IP-000043 - The Palo Alto Networks security platform must use a Vulnerability Protection Profile that blocks any critical, high, or medium threats.
Palo_Alto
DISA STIG Palo Alto IDPS v3r1
