STIGQter: STIG Summary: A10 Networks ADC ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The A10 Networks ADC must enable DDoS filters.

DISA Rule

SV-237051r639600_rule

Vulnerability Number

V-237051

Group Title

SRG-NET-000362-ALG-000126

Rule Version

AADC-AG-000101

Severity

CAT II

CCI(s)

CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

Fix Recommendation

The following commands configure DDoS filters:
ip anomaly-drop ip-option
ip anomaly-drop land-attack
ip anomaly-drop ping-of-death
ip anomaly-drop frag
ip anomaly-drop tcp-no-flag
ip anomaly-drop tcp-syn-fin
ip anomaly-drop tcp-syn-frag
ip anomaly-drop out-of-sequence [threshold]
ip anomaly-drop ping-of-death
ip anomaly-drop zero-window [threshold]
ip anomaly-drop bad-content

Note: Thresholds are specific to the expected traffic for the system or enclave.

Check Contents

Review the device configuration.

The following command displays the device configuration and filters the output on the string "anomaly-drop":
show run | inc anomaly-drop

The output should display the following commands:
ip anomaly-drop ip-option
ip anomaly-drop land-attack
ip anomaly-drop ping-of-death
ip anomaly-drop frag
ip anomaly-drop tcp-no-flag
ip anomaly-drop tcp-syn-fin
ip anomaly-drop tcp-syn-frag
ip anomaly-drop out-of-sequence [threshold]
ip anomaly-drop ping-of-death
ip anomaly-drop zero-window [threshold]
ip anomaly-drop bad-content

If the output does not show these commands, this is a finding.

The A10 Networks ADC must enable DDoS filters.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments