Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards].
NIST 800-53 (r4) Supplemental Guidance:
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7.
NIST 800-53 (r5) Discussion:
Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.
38North Guidance:
Meets Minimum Requirement:
Implement host-based firewalls and Network Access Control Lists (NACL) to restrict ingress/egress traffic to trusted ports, protocols, services, and source/destination IP addresses.
Best Practice:
Implement host-based firewalls and Network Access Control Lists (NACL) to restrict ingress/egress traffic to trusted ports, protocols, services, and source/destination IP addresses.
Design a highly available and fault-tolerant system architecture that utilizes multiple geographic locations, load balancers, and auto scaling.
Configure logging of network perimeter devices (e.g., Load Balancer, WAF, etc.) and netflow traffic, and forward logs to a SIEM solution with 24/7 monitoring in place.
Deploy Web Application Firewalls (WAF) to the network perimeter that perform deep packet inspection for web traffic.
Deploy host-based or inline IDS/IPS systems that utilize statistical/behavioral or signature-based algorithms to detect and contain network attacks.
Configure traffic shaping and/or rate limiting routing policies.
Internal DDoS NOT a requirement, internal DDOS protections for internal service points is overkill and not needed to meet SC-5 requirement.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Screenshots of configuration settings of the measures in place to protect against or limit the effects of the denial of service attacks (e.g., firewall rule sets; policies configured for WAFs, Load Balancers, Auto Scaling Groups, etc.).
Screenshots confirming the use of multiple geographic locations.
CSP Implementation Tips - DDoS Protection:
Amazon Web Services (AWS):
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse