SC-5: Denial-of-service Protection

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:

Threats Addressed:

Baselines:

  • Low
    • SC-5
  • Moderate
    • SC-5
  • High
    • SC-5
  • Privacy

    N/A

Previous Version:

Control Statement

  1. [Assignment: Protect against, Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and
  2. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].

Supplemental Guidance

Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.

Control Enhancements

SC-5(1): Restrict Ability to Attack Other Systems

Baseline(s):

(Not part of any baseline)

Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks].

SC-5(3): Detection and Monitoring

Baseline(s):

(Not part of any baseline)

Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources].