shawndwells
commented
9 years ago SC-5 reads as:
SC-5 DENIAL OF SERVICE PROTECTION
Control: The information system protects against or limits the effects of the following types of
denial of service attacks: [Assignment: organization-defined types of denial of service attacks or
references to sources for such information] by employing [Assignment: organization-defined
security safeguards].
Supplemental Guidance: A variety of technologies exist to limit, or in some cases, eliminate the
effects of denial of service attacks. For example, boundary protection devices can filter certain
types of packets to protect information system components on internal organizational networks
from being directly affected by denial of service attacks. Employing increased capacity and
bandwidth combined with service redundancy may also reduce the susceptibility to denial of
service attacks. Related controls: SC-6, SC-7.
Control Enhancements:
(1) DENIAL OF SERVICE PROTECTION | RESTRICT INTERNAL USERS
The information system restricts the ability of individuals to launch [Assignment: organizationdefined
denial of service attacks] against other information systems.
Supplemental Guidance: Restricting the ability of individuals to launch denial of service attacks
requires that the mechanisms used for such attacks are unavailable. Individuals of concern can
include, for example, hostile insiders or external adversaries that have successfully breached
the information system and are using the system as a platform to launch cyber attacks on third
parties. Organizations can restrict the ability of individuals to connect and transmit arbitrary
information on the transport medium (i.e., network, wireless spectrum). Organizations can
also limit the ability of individuals to use excessive information system resources. Protection
against individuals having the ability to launch denial of service attacks may be implemented
on specific information systems or on boundary devices prohibiting egress to potential target
systems
(2) DENIAL OF SERVICE PROTECTION | EXCESS CAPACITY / BANDWIDTH / REDUNDANCY
The information system manages excess capacity, bandwidth, or other redundancy to limit the
effects of information flooding denial of service attacks.
Supplemental Guidance: Managing excess capacity ensures that sufficient capacity is available
to counter flooding attacks. Managing excess capacity may include, for example, establishing
selected usage priorities, quotas, or partitioning.
(3) DENIAL OF SERVICE PROTECTION | DETECTION / MONITORING
The organization:
(a) Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of
service attacks against the information system; and
(b) Monitors [Assignment: organization-defined information system resources] to determine if
sufficient resources exist to prevent effective denial of service attacks.
Supplemental Guidance: Organizations consider utilization and capacity of information system
resources when managing risk from denial of service due to malicious attacks. Denial of
service attacks can originate from external or internal sources. Information system resources
sensitive to denial of service include, for example, physical disk storage, memory, and CPU
cycles. Common safeguards to prevent denial of service attacks related to storage utilization
and capacity include, for example, instituting disk quotas, configuring information systems to
automatically alert administrators when specific storage capacity thresholds are reached, using
file compression technologies to maximize available storage space, and imposing separate
partitions for system and user data. Related controls: CA-7, SI-4.The following sysctl's are already mapped to SC-5:
- sysctl_net_ipv4_conf_default_rp_filter
- sysctl_net_ipv4_conf_all_rp_filter
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- sysctl_net_ipv4_conf_default_secure_redirects
- sysctl_net_ipv4_conf_default_accept_source_route
- sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_conf_default_accept_redirects
As for the others:
- sysctl_net_ipv4_tcp_syncookies (Enable Kernel Parameter to Use TCP Syncookies) This loosely aligns to SC-5(2) and SC-5(3). Submitting PR shortly, will reflect in commit 0e458a8.
- sysctl_net_ipv4_conf_all_log_martians (Enable Kernel Parameter to Log Martian Packets) Loosely aligns to SC-5(3), detecting indicators of DOS. Added via commit 9bca6d2.
- sysctl_net_ipv4_conf_all_secure_redirects (Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces) Makes sense under the "The information system protects against or limits the effects of the following types of denial of service attacks..." theme of SC-5. Will be added via commit 0522d58.
- sysctl_net_ipv4_conf_all_accept_redirects Same as above. Will be added via commit 6c568e6.
- sysctl_net_ipv4_conf_all_accept_source_route Same as above. Will be added via commit d00edc2.
- sysctl_net_ipv4_conf_all_send_redirects Ties to SC-5(1), restricting user behavior. Will be added via commit e0d5418.
@lukek1