STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Nokia Service Router OS 25.x Router Security Technical Implementation Guide

V-283895

CAT II (Medium)

The Nokia router must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.

Rule ID

SV-283895r1203934_rule

STIG

Nokia Service Router OS 25.x Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-004866

Discussion

DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of DoS events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of DoS attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to DoS events.

Check Content

Verify the router is configured to employ organization-defined controls by type of DoS to achieve the DoS objective.

Verify CPM IP-Filter using the example below: 

- show system security cpm-filter ip-filter entry 10

CPM IP Filter Entry

Entry Id           : 10
Description        : (Not Specified)
-------------------------------------------------------------------------------
Filter Entry Match Criteria :
-------------------------------------------------------------------------------
Log Id             : n/a
Src. IP            : 192.168.1.1/32
Src. Port          : n/a
Dst. IP            : n/a
Dest. Port         : n/a
Protocol           : ospf-igp           Dscp               : Undefined
ICMP Type          : Undefined          ICMP Code          : Undefined
Fragment           : Off                Option-present     : Off
IP-Option          : n/a                Multiple Option    : Off
TCP-syn            : Off                TCP-ack            : Off
Action             : Forward
Match Router ID    : n/a
Dropped pkts       : 0                  Forwarded pkts     : 0

Verify Distributed CPU Protection using the example below: 

- show system security dist-cpu-protection policy "rate-limit" detail

Distributed CPU Protection Policy

Policy Name : rate-limit
Description : (Not Specified)
Policy Type : access-network

-------------------------------------------------------------------------------
Static Policer
-------------------------------------------------------------------------------
Static Policer      : PIM-RATE
Description         : (Not Specified)
Kbps                : 2000 kbps             MBS             : 200 KB
Detection Time      : 30 seconds
Exceed-Action       : None                  Hold-Down Time  : none
Log Events          : enable

-------------------------------------------------------------------------------
Static Policer      : ICMP-RATE
Description         : (Not Specified)
Kbps                : 2000 kbps             MBS             : 200 KB
Detection Time      : 30 seconds
Exceed-Action       : None                  Hold-Down Time  : none
Log Events          : enable

-------------------------------------------------------------------------------
Static Policer      : ALL-Other-Rate
Description         : (Not Specified)
Kbps                : 2000 kbps             MBS             : 200 KB
Detection Time      : 30 seconds
Exceed-Action       : None                  Hold-Down Time  : none
Log Events          : enable
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Local Monitoring Policer
-------------------------------------------------------------------------------
No Matching Entries
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Protocol (Dynamic Policer)
-------------------------------------------------------------------------------
Protocol            : icmp
Enforcement Type    : static                Enforcement Plcr: ICMP-RATE

Dynamic Policer Parameters
--------------------------
Packets             : max                   Within          : 1 seconds
Initial Delay       : none
Detection Time      : 30 seconds
Exceed-Action       : None                  Hold-Down Time  : none
Log Events          : enable

-------------------------------------------------------------------------------
Protocol            : all-unspecified
Enforcement Type    : static                Enforcement Plcr: ALL-Other-Rate

Dynamic Policer Parameters
--------------------------
Packets             : max                   Within          : 1 seconds
Initial Delay       : none
Detection Time      : 30 seconds
Exceed-Action       : None                  Hold-Down Time  : none
Log Events          : enable

-------------------------------------------------------------------------------
Protocol            : pim
Enforcement Type    : static                Enforcement Plcr: PIM-RATE

Dynamic Policer Parameters
--------------------------
Packets             : max                   Within          : 1 seconds
Initial Delay       : none
Detection Time      : 30 seconds
Exceed-Action       : None                  Hold-Down Time  : none
Log Events          : enable
-------------------------------------------------------------------------------

If the router is not configured to employ organization-defined controls by type of DoS to achieve the DoS objective, this is a finding.

Fix Text

Configure the router to employ organization-defined controls by type of DoS to achieve the DoS objective using the example below: 

Create a CPM-Filter:

- configure system security cpm-filter
- config>sys>security>cpm-filter# default-action drop
- config>sys>security>cpm-filter# ip-filter
- config>sys>sec>cpm>ip-filter#
- config>sys>sec>cpm>ip-filter# entry 10 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "ospf-igp"
- cfg>sys>sec>cpm>ip-filter>entry>match# src-ip 192.168.1.1/32
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 20 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "pim"
- cfg>sys>sec>cpm>ip-filter>entry>match# src-ip 192.168.1.2/32
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 30 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "igmp"
- cfg>sys>sec>cpm>ip-filter>entry>match# src-ip 224.0.0.0/4
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 40 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "tcp"
- cfg>sys>sec>cpm>ip-filter>entry>match# src-ip 192.168.100.1/32
- cfg>sys>sec>cpm>ip-filter>entry>match# dst-ip 192.168.100.2/32
- cfg>sys>sec>cpm>ip-filter>entry>match# src-port 179
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 50 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "icmp"
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 60 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "udp"
- cfg>sys>sec>cpm>ip-filter>entry>match# dst-port 161
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 70 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "udp"
- cfg>sys>sec>cpm>ip-filter>entry>match# dst-port 162
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 80 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "tcp"
- cfg>sys>sec>cpm>ip-filter>entry>match# dst-port 22
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 90 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "tcp"
- cfg>sys>sec>cpm>ip-filter>entry>match# dst-port 23
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit all

Create Distributed CPU Protection: 

- configure system security dist-cpu-protection policy "rate-limit" create                             
- config>sys>security>dist-cpu-protection>policy# static-policer "PIM-RATE" create
- config>sys>security>dist-cpu-protection>policy>static# rate kbps 2000 mbs 200
- config>sys>security>dist-cpu-p" create >policy# static-policer "ICMP-RATE
- config>sys>security>dist-cpu-protection>policy>static# exit
- config>sys>security>dist-cpu-protection>policy# static-policer "ICMP-RATE" create
- config>sys>security>dist-cpu-protection>policy>static# rate kbps 2000 mbs 200
- config>sys>security>dist-cpu-protection>policy>static# exit
- config>sys>security>dist-cpu-protection>policy# static-policer "ALL-Other-Rate"
- config>sys>security>dist-cpu-protection>policy>static# rate kbps 2000 mbs 200
- config>sys>security>dist-cpu-protection>policy>static# exit
- config>sys>security>dist-cpu-protection>policy# protocol icmp create
- config>sys>security>dist-cpu-protection>policy>protocol# enforcement static "ICMP-RATE"
- config>sys>security>dist-cpu-protection>policy>protocol# exit
- config>sys>security>dist-cpu-protection>policy# protocol pim create
- config>sys>security>dist-cpu-protection>policy>protocol# enforcement static "PIM-RATE"
- config>sys>security>dist-cpu-protection>policy>protocol# exit
- config>sys>security>dist-cpu-protection>policy# protocol all-unspecified create
- config>sys>security>dist-cpu-protection>policy>protocol# enforcement static "ALL-Other-Rate"
- config>sys>security>dist-cpu-protection>policy>protocol# exit all

Apply Distributed CPU Protection to the interface:

- configure router interface "TEST" dist-cpu-protection "rate-limit"