The Nokia router must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283895 | NOKI-RT-000810 | SV-283895r1203934_rule | CCI-004866 | medium |
| Description | ||||
| DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of DoS events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of DoS attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to DoS events. | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Router Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283895r1203934_chk)
Verify the router is configured to employ organization-defined controls by type of DoS to achieve the DoS objective.
Verify CPM IP-Filter using the example below:
- show system security cpm-filter ip-filter entry 10
CPM IP Filter Entry
Entry Id : 10
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Entry Match Criteria :
-------------------------------------------------------------------------------
Log Id : n/a
Src. IP : 192.168.1.1/32
Src. Port : n/a
Dst. IP : n/a
Dest. Port : n/a
Protocol : ospf-igp Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
Fragment : Off Option-present : Off
IP-Option : n/a Multiple Option : Off
TCP-syn : Off TCP-ack : Off
Action : Forward
Match Router ID : n/a
Dropped pkts : 0 Forwarded pkts : 0
Verify Distributed CPU Protection using the example below:
- show system security dist-cpu-protection policy "rate-limit" detail
Distributed CPU Protection Policy
Policy Name : rate-limit
Description : (Not Specified)
Policy Type : access-network
-------------------------------------------------------------------------------
Static Policer
-------------------------------------------------------------------------------
Static Policer : PIM-RATE
Description : (Not Specified)
Kbps : 2000 kbps MBS : 200 KB
Detection Time : 30 seconds
Exceed-Action : None Hold-Down Time : none
Log Events : enable
-------------------------------------------------------------------------------
Static Policer : ICMP-RATE
Description : (Not Specified)
Kbps : 2000 kbps MBS : 200 KB
Detection Time : 30 seconds
Exceed-Action : None Hold-Down Time : none
Log Events : enable
-------------------------------------------------------------------------------
Static Policer : ALL-Other-Rate
Description : (Not Specified)
Kbps : 2000 kbps MBS : 200 KB
Detection Time : 30 seconds
Exceed-Action : None Hold-Down Time : none
Log Events : enable
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Local Monitoring Policer
-------------------------------------------------------------------------------
No Matching Entries
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Protocol (Dynamic Policer)
-------------------------------------------------------------------------------
Protocol : icmp
Enforcement Type : static Enforcement Plcr: ICMP-RATE
Dynamic Policer Parameters
--------------------------
Packets : max Within : 1 seconds
Initial Delay : none
Detection Time : 30 seconds
Exceed-Action : None Hold-Down Time : none
Log Events : enable
-------------------------------------------------------------------------------
Protocol : all-unspecified
Enforcement Type : static Enforcement Plcr: ALL-Other-Rate
Dynamic Policer Parameters
--------------------------
Packets : max Within : 1 seconds
Initial Delay : none
Detection Time : 30 seconds
Exceed-Action : None Hold-Down Time : none
Log Events : enable
-------------------------------------------------------------------------------
Protocol : pim
Enforcement Type : static Enforcement Plcr: PIM-RATE
Dynamic Policer Parameters
--------------------------
Packets : max Within : 1 seconds
Initial Delay : none
Detection Time : 30 seconds
Exceed-Action : None Hold-Down Time : none
Log Events : enable
-------------------------------------------------------------------------------
If the router is not configured to employ organization-defined controls by type of DoS to achieve the DoS objective, this is a finding.
Fix Text (F-88365r1203933_fix)
Configure the router to employ organization-defined controls by type of DoS to achieve the DoS objective using the example below:
Create a CPM-Filter:
- configure system security cpm-filter
- config>sys>security>cpm-filter# default-action drop
- config>sys>security>cpm-filter# ip-filter
- config>sys>sec>cpm>ip-filter#
- config>sys>sec>cpm>ip-filter# entry 10 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "ospf-igp"
- cfg>sys>sec>cpm>ip-filter>entry>match# src-ip 192.168.1.1/32
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 20 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "pim"
- cfg>sys>sec>cpm>ip-filter>entry>match# src-ip 192.168.1.2/32
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 30 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "igmp"
- cfg>sys>sec>cpm>ip-filter>entry>match# src-ip 224.0.0.0/4
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 40 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "tcp"
- cfg>sys>sec>cpm>ip-filter>entry>match# src-ip 192.168.100.1/32
- cfg>sys>sec>cpm>ip-filter>entry>match# dst-ip 192.168.100.2/32
- cfg>sys>sec>cpm>ip-filter>entry>match# src-port 179
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 50 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "icmp"
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 60 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "udp"
- cfg>sys>sec>cpm>ip-filter>entry>match# dst-port 161
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 70 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "udp"
- cfg>sys>sec>cpm>ip-filter>entry>match# dst-port 162
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 80 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "tcp"
- cfg>sys>sec>cpm>ip-filter>entry>match# dst-port 22
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# entry 90 create
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "tcp"
- cfg>sys>sec>cpm>ip-filter>entry>match# dst-port 23
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# exit all
Create Distributed CPU Protection:
- configure system security dist-cpu-protection policy "rate-limit" create
- config>sys>security>dist-cpu-protection>policy# static-policer "PIM-RATE" create
- config>sys>security>dist-cpu-protection>policy>static# rate kbps 2000 mbs 200
- config>sys>security>dist-cpu-p" create >policy# static-policer "ICMP-RATE
- config>sys>security>dist-cpu-protection>policy>static# exit
- config>sys>security>dist-cpu-protection>policy# static-policer "ICMP-RATE" create
- config>sys>security>dist-cpu-protection>policy>static# rate kbps 2000 mbs 200
- config>sys>security>dist-cpu-protection>policy>static# exit
- config>sys>security>dist-cpu-protection>policy# static-policer "ALL-Other-Rate"
- config>sys>security>dist-cpu-protection>policy>static# rate kbps 2000 mbs 200
- config>sys>security>dist-cpu-protection>policy>static# exit
- config>sys>security>dist-cpu-protection>policy# protocol icmp create
- config>sys>security>dist-cpu-protection>policy>protocol# enforcement static "ICMP-RATE"
- config>sys>security>dist-cpu-protection>policy>protocol# exit
- config>sys>security>dist-cpu-protection>policy# protocol pim create
- config>sys>security>dist-cpu-protection>policy>protocol# enforcement static "PIM-RATE"
- config>sys>security>dist-cpu-protection>policy>protocol# exit
- config>sys>security>dist-cpu-protection>policy# protocol all-unspecified create
- config>sys>security>dist-cpu-protection>policy>protocol# enforcement static "ALL-Other-Rate"
- config>sys>security>dist-cpu-protection>policy>protocol# exit all
Apply Distributed CPU Protection to the interface:
- configure router interface "TEST" dist-cpu-protection "rate-limit"