Device Class 1: Denial Of Service Protection

Control ID: SC-5 Denial Of Service Protection Family: System and Communications Protection Source: NIST 800-53r4
Control: The information system protects against or limits the effects of the following types of denial of service attacks:
  • WSMP flooding by employing rate limitation on input sources, signature verification and misbehavior reporting.
  • IP-based flooding by limiting access to the device over IP, with different mechanisms used for different types of devices as noted below.
Supplemental Guidance:
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.

Related Controls: SC-7, SC-6
Control Enhancements:
(1) Denial Of Service Protection | Restrict Internal Users
The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems.
Supplemental Guidance: Restricting the ability of individuals to launch denial of service attacks requires that the mechanisms used for such attacks are unavailable. Individuals of concern can include, for example, hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyber-attacks on third parties. Organizations can restrict the ability of individuals to connect and transmit arbitrary information on the transport medium (i.e., network, wireless spectrum). Organizations can also limit the ability of individuals to use excessive information system resources. Protection against individuals having the ability to launch denial of service attacks may be implemented on specific information systems or on boundary devices prohibiting egress to potential target systems.
Related Controls: N/A
References: N/A
Mechanisms:

See also CP-12 safe mode.

  • The application shall take the current environment into consideration when determining whether to verify, forward, or react to an incoming application datagram and shall not verify, forward or react to a datagram if it seems likely that this would lead to resource exhaustion.
  • The application shall take the current environment into consideration when determining whether to cryptographically verify incoming application datagrams.
  • The device shall discard IP packets whose source address is unknown to the device .
  • The device shall discard IP packets whose source address is known to the device if the device does not have either:
    • A request pending to the source or
    • The source is on a whitelist of sources that may send the device unsolicited IP traffic.
  • The device shall enforce limit on transmission of data over DSRC media.
    • This limit shall be configurable through a system management function .
    • This limit shall be:
      • no higher than 0.6 megabits per second on the DSRC safety channel (rationale: a single device shall not be able to use more than 10% of channel capacity of the safety channel) .
      • no higher than 1.2 megabit per second on 10 MHz DSRC service channels, and no higher than 2.4 megabits per second on 20 MHz service channels (rationale: a single device shall not be able to use more than 20% of channel capacity on service channels).
      NOTE: The above limits represent maximums. Future versions of this document may include dynamic controls on these limits so that they go down if channel utilization is high.
  • The device shall support notifying applications if the Channel Busy Ratio on channels used by those applications is greater than a configurable threshold.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
SC-5/1 Supports WSMP filtering SC-5/1: M SAE J2945/1, IEEE 1609.x
SC-5/2 Supports unknown IP packet discard SC-5/2:M
SC-5/3 Supports known IP packet discard SC-5/3:M
SC-5(1)/4 Supports DSRC transmission limiting SC-5/4:M IEEE 1609.x
SC-5(1)/5 Supports DSRC transmission limit configurable through management function SC-5/5:M
SC-5(1)/6 Supports DSRC transmission limit maximum XXX SC-5/6:M