The Nokia router must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-283895NOKI-RT-000810SV-283895r1203934_ruleCCI-004866medium
Description
DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of DoS events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of DoS attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to DoS events.
STIGDate
Nokia Service Router OS 25.x Router Security Technical Implementation Guide2026-06-15

Details

Check Text (C-283895r1203934_chk)

Verify the router is configured to employ organization-defined controls by type of DoS to achieve the DoS objective. Verify CPM IP-Filter using the example below: - show system security cpm-filter ip-filter entry 10 CPM IP Filter Entry Entry Id : 10 Description : (Not Specified) ------------------------------------------------------------------------------- Filter Entry Match Criteria : ------------------------------------------------------------------------------- Log Id : n/a Src. IP : 192.168.1.1/32 Src. Port : n/a Dst. IP : n/a Dest. Port : n/a Protocol : ospf-igp Dscp : Undefined ICMP Type : Undefined ICMP Code : Undefined Fragment : Off Option-present : Off IP-Option : n/a Multiple Option : Off TCP-syn : Off TCP-ack : Off Action : Forward Match Router ID : n/a Dropped pkts : 0 Forwarded pkts : 0 Verify Distributed CPU Protection using the example below: - show system security dist-cpu-protection policy "rate-limit" detail Distributed CPU Protection Policy Policy Name : rate-limit Description : (Not Specified) Policy Type : access-network ------------------------------------------------------------------------------- Static Policer ------------------------------------------------------------------------------- Static Policer : PIM-RATE Description : (Not Specified) Kbps : 2000 kbps MBS : 200 KB Detection Time : 30 seconds Exceed-Action : None Hold-Down Time : none Log Events : enable ------------------------------------------------------------------------------- Static Policer : ICMP-RATE Description : (Not Specified) Kbps : 2000 kbps MBS : 200 KB Detection Time : 30 seconds Exceed-Action : None Hold-Down Time : none Log Events : enable ------------------------------------------------------------------------------- Static Policer : ALL-Other-Rate Description : (Not Specified) Kbps : 2000 kbps MBS : 200 KB Detection Time : 30 seconds Exceed-Action : None Hold-Down Time : none Log Events : enable ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Local Monitoring Policer ------------------------------------------------------------------------------- No Matching Entries ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Protocol (Dynamic Policer) ------------------------------------------------------------------------------- Protocol : icmp Enforcement Type : static Enforcement Plcr: ICMP-RATE Dynamic Policer Parameters -------------------------- Packets : max Within : 1 seconds Initial Delay : none Detection Time : 30 seconds Exceed-Action : None Hold-Down Time : none Log Events : enable ------------------------------------------------------------------------------- Protocol : all-unspecified Enforcement Type : static Enforcement Plcr: ALL-Other-Rate Dynamic Policer Parameters -------------------------- Packets : max Within : 1 seconds Initial Delay : none Detection Time : 30 seconds Exceed-Action : None Hold-Down Time : none Log Events : enable ------------------------------------------------------------------------------- Protocol : pim Enforcement Type : static Enforcement Plcr: PIM-RATE Dynamic Policer Parameters -------------------------- Packets : max Within : 1 seconds Initial Delay : none Detection Time : 30 seconds Exceed-Action : None Hold-Down Time : none Log Events : enable ------------------------------------------------------------------------------- If the router is not configured to employ organization-defined controls by type of DoS to achieve the DoS objective, this is a finding.

Fix Text (F-88365r1203933_fix)

Configure the router to employ organization-defined controls by type of DoS to achieve the DoS objective using the example below: Create a CPM-Filter: - configure system security cpm-filter - config>sys>security>cpm-filter# default-action drop - config>sys>security>cpm-filter# ip-filter - config>sys>sec>cpm>ip-filter# - config>sys>sec>cpm>ip-filter# entry 10 create - cfg>sys>sec>cpm>ip-filter>entry# match protocol "ospf-igp" - cfg>sys>sec>cpm>ip-filter>entry>match# src-ip 192.168.1.1/32 - cfg>sys>sec>cpm>ip-filter>entry>match# exit - cfg>sys>sec>cpm>ip-filter>entry# action accept - cfg>sys>sec>cpm>ip-filter>entry# exit - config>sys>sec>cpm>ip-filter# entry 20 create - cfg>sys>sec>cpm>ip-filter>entry# match protocol "pim" - cfg>sys>sec>cpm>ip-filter>entry>match# src-ip 192.168.1.2/32 - cfg>sys>sec>cpm>ip-filter>entry>match# exit - cfg>sys>sec>cpm>ip-filter>entry# action accept - cfg>sys>sec>cpm>ip-filter>entry# exit - config>sys>sec>cpm>ip-filter# entry 30 create - cfg>sys>sec>cpm>ip-filter>entry# match protocol "igmp" - cfg>sys>sec>cpm>ip-filter>entry>match# src-ip 224.0.0.0/4 - cfg>sys>sec>cpm>ip-filter>entry>match# exit - cfg>sys>sec>cpm>ip-filter>entry# action accept - cfg>sys>sec>cpm>ip-filter>entry# exit - config>sys>sec>cpm>ip-filter# entry 40 create - cfg>sys>sec>cpm>ip-filter>entry# match protocol "tcp" - cfg>sys>sec>cpm>ip-filter>entry>match# src-ip 192.168.100.1/32 - cfg>sys>sec>cpm>ip-filter>entry>match# dst-ip 192.168.100.2/32 - cfg>sys>sec>cpm>ip-filter>entry>match# src-port 179 - cfg>sys>sec>cpm>ip-filter>entry>match# exit - cfg>sys>sec>cpm>ip-filter>entry# action accept - cfg>sys>sec>cpm>ip-filter>entry# exit - config>sys>sec>cpm>ip-filter# entry 50 create - cfg>sys>sec>cpm>ip-filter>entry# match protocol "icmp" - cfg>sys>sec>cpm>ip-filter>entry>match# exit - cfg>sys>sec>cpm>ip-filter>entry# action accept - cfg>sys>sec>cpm>ip-filter>entry# exit - config>sys>sec>cpm>ip-filter# entry 60 create - cfg>sys>sec>cpm>ip-filter>entry# match protocol "udp" - cfg>sys>sec>cpm>ip-filter>entry>match# dst-port 161 - cfg>sys>sec>cpm>ip-filter>entry>match# exit - cfg>sys>sec>cpm>ip-filter>entry# action accept - cfg>sys>sec>cpm>ip-filter>entry# exit - config>sys>sec>cpm>ip-filter# entry 70 create - cfg>sys>sec>cpm>ip-filter>entry# match protocol "udp" - cfg>sys>sec>cpm>ip-filter>entry>match# dst-port 162 - cfg>sys>sec>cpm>ip-filter>entry>match# exit - cfg>sys>sec>cpm>ip-filter>entry# action accept - cfg>sys>sec>cpm>ip-filter>entry# exit - config>sys>sec>cpm>ip-filter# entry 80 create - cfg>sys>sec>cpm>ip-filter>entry# match protocol "tcp" - cfg>sys>sec>cpm>ip-filter>entry>match# dst-port 22 - cfg>sys>sec>cpm>ip-filter>entry>match# exit - cfg>sys>sec>cpm>ip-filter>entry# action accept - cfg>sys>sec>cpm>ip-filter>entry# exit - config>sys>sec>cpm>ip-filter# entry 90 create - cfg>sys>sec>cpm>ip-filter>entry# match protocol "tcp" - cfg>sys>sec>cpm>ip-filter>entry>match# dst-port 23 - cfg>sys>sec>cpm>ip-filter>entry>match# exit - cfg>sys>sec>cpm>ip-filter>entry# action accept - cfg>sys>sec>cpm>ip-filter>entry# exit all Create Distributed CPU Protection: - configure system security dist-cpu-protection policy "rate-limit" create - config>sys>security>dist-cpu-protection>policy# static-policer "PIM-RATE" create - config>sys>security>dist-cpu-protection>policy>static# rate kbps 2000 mbs 200 - config>sys>security>dist-cpu-p" create >policy# static-policer "ICMP-RATE - config>sys>security>dist-cpu-protection>policy>static# exit - config>sys>security>dist-cpu-protection>policy# static-policer "ICMP-RATE" create - config>sys>security>dist-cpu-protection>policy>static# rate kbps 2000 mbs 200 - config>sys>security>dist-cpu-protection>policy>static# exit - config>sys>security>dist-cpu-protection>policy# static-policer "ALL-Other-Rate" - config>sys>security>dist-cpu-protection>policy>static# rate kbps 2000 mbs 200 - config>sys>security>dist-cpu-protection>policy>static# exit - config>sys>security>dist-cpu-protection>policy# protocol icmp create - config>sys>security>dist-cpu-protection>policy>protocol# enforcement static "ICMP-RATE" - config>sys>security>dist-cpu-protection>policy>protocol# exit - config>sys>security>dist-cpu-protection>policy# protocol pim create - config>sys>security>dist-cpu-protection>policy>protocol# enforcement static "PIM-RATE" - config>sys>security>dist-cpu-protection>policy>protocol# exit - config>sys>security>dist-cpu-protection>policy# protocol all-unspecified create - config>sys>security>dist-cpu-protection>policy>protocol# enforcement static "ALL-Other-Rate" - config>sys>security>dist-cpu-protection>policy>protocol# exit all Apply Distributed CPU Protection to the interface: - configure router interface "TEST" dist-cpu-protection "rate-limit"