The SDN controller must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by rate-limiting control-plane communications.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-206726 | SRG-NET-000362-SDN-000720 | SV-206726r856676_rule | CCI-002385 | medium |
| Description | ||||
| The SDN Controller is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control-plane processes. It is also instrumental with network management and provisioning functions that keep the SDN-enabled network elements and links available for providing network services. Any disruption to the SDN Controller can result in mission-critical network outages. A DoS attack targeting the SDN Controller can result in excessive CPU and memory utilization. The SDN Controller must be configured to rate-limit control-plane traffic destined to itself to mitigate the risk of a DoS attack and ensure network stability. | ||||
| STIG | Date | |||
| SDN Controller Security Requirements Guide | 2024-05-28 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
SC-5
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-002385
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-206726r856676_chk)
Review the SDN controller configuration to determine if it is configured to rate-limit control-plane messages.
If the SDN controller is not configured to rate-limit control-plane messages, this is a finding.
Fix Text (F-6983r363117_fix)
Configure the SDN controller to rate-limit control-plane messages.