The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-239860	SRG-NET-000193-FW-000030	CASA-FW-000150	SV-239860r991796_rule	2024-06-06	2

Description
A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering, resulting in route flapping and will eventually black-hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood-type" DoS attacks through increased capacity.

Description

A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering, resulting in route flapping and will eventually black-hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood-type" DoS attacks through increased capacity.

ℹ️ Check
NOTE: When operating the ASA in multi-context mode with a separate IDPS, threat detection cannot be enabled, and this check is Not Applicable. Review the ASA configuration to determine if threat detection has been enabled. threat-detection basic-threat If the ASA has not been configured to enable threat detection to mitigate risks of DoS attacks, this is a finding.

✔️ Fix
Configure threat detection as shown in the example below. ASA(config)# threat-detection basic-threat