STIGQter: STIG Summary: Network Infrastructure Policy Security Technical Implementation Guide Version: 9 Release: 10 Benchmark Date: 24 Jan 2020:

Multicast register messages must be rate limited per each source-group (S, G) entry.

DISA Rule

SV-80869r1_rule

Vulnerability Number

V-66379

Group Title

NET2012

Rule Version

NET2012

Severity

CAT II

CCI(s)

CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

Fix Recommendation

Configure the Designated Router (DR) to rate limit the number of multicast register messages it will allow for each (S, G) entry.

Check Contents

Review the configuration of the DR to verify that it is rate limiting the number of multicast register messages.

If the DR is not limiting multicast register messages, this is a finding.

The following is a PIM sparse mode configuration example that limits the number of register messages for each (S, G) multicast entry to 10 per second.

ip multicast-routing
!
interface FastEthernet 0/0
description link to core
ip address 192.168.123.2 255.255.255.0
ip pim sparse-mode
!
interface FastEthernet 0/1
description User LAN
ip address 192.168.122.1 255.255.255.0
ip pim sparse-mode
!
ip pim rp-address 1.1.1.1
ip pim register-rate 10

Multicast register messages must be rate limited per each source-group (S, G) entry.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments