{"description": "Create a direct firewall rule to protect against DoS attacks with the following\ncommand:\n<pre>$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j INPUT_ZONES</pre>", "rationale": "DoS is a condition when a resource is not available for legitimate users. When\nthis occurs, the organization either cannot accomplish its mission or must\noperate at degraded capacity.\n<br /><br />\nThis requirement addresses the configuration of\nthe operating system to mitigate the impact of DoS attacks that have occurred or\nare ongoing on system availability. For each system, known and potential DoS\nattacks must be identified and solutions for each type implemented. A variety of\ntechnologies exist to limit or, in some cases, eliminate the effects of DoS\nattacks (e.g., limiting processes or establishing memory partitions). Employing\nincreased capacity and bandwidth, combined with service redundancy, may reduce\nthe susceptibility to some DoS attacks.", "severity": "medium", "references": {"nist": ["SC-5", "SC-5(1)", "SC-5(2)", "SC-5(3)(a)", "CM-6(a)"], "srg": ["SRG-OS-000420-GPOS-00186"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "firewalld is not rate limiting connections", "ocil": "To verify the operating system protects against or limits the effects of DoS\nattacks by ensuring the operating system is implementing rate-limiting measures\non impacted network interfaces, run the following command:\n<pre>$ sudo firewall-cmd --permanent --direct --get-rules ipv4 filter INPUT_direct</pre>\nThe output should return:\n<pre>0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure firewalld To Rate Limit Connections", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/rule.yml", "template": null}