SC-05 Denial-of-service Protection

Baselines

Guidance

Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.

References 1

• SP 800-189 Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189.

Control Enhancements 3

• SC-05(01) Restrict Ability to Attack Other Systems L M H P
• SC-05(02) Capacity, Bandwidth, and Redundancy L M H P
• SC-05(03) Detection and Monitoring L M H P

Related controls 5

• CP-02 Contingency Plan L M H P
• IR-04 Incident Handling L M H P
• SC-06 Resource Availability L M H P
• SC-07 Boundary Protection L M H P
• SC-40 Wireless Link Protection L M H P