The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-253951	SRG-NET-000193-L2S-000020	JUEX-L2-000040	SV-253951r1082966_rule	2025-03-07	2

Description
DoS attacks can be mitigated by ensuring sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages). A Junos OS classifier identifies and separates traffic flows and provides the means to prioritize traffic later in the class-of-service (CoS) process. By default, Junos implements a standard CoS (QoS) strategy. Although some devices implement different queues or queue numbers, generally there is at least a four-queue model with two active queues: 95 percent Best Effort (BE) and 5 percent Network Control (NE). A behavior aggregate (BA) classifier performs this function by associating discriminating values with forwarding classes and loss priorities. Unless overridden, Junos OS applies the default CoS to all interfaces. Junos OS provides multiple predefined BA classifier types, which the site can combine and supplement with custom CoS configuration as needed to achieve overall traffic classification goals.

Description

DoS attacks can be mitigated by ensuring sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages). A Junos OS classifier identifies and separates traffic flows and provides the means to prioritize traffic later in the class-of-service (CoS) process. By default, Junos implements a standard CoS (QoS) strategy. Although some devices implement different queues or queue numbers, generally there is at least a four-queue model with two active queues: 95 percent Best Effort (BE) and 5 percent Network Control (NE). A behavior aggregate (BA) classifier performs this function by associating discriminating values with forwarding classes and loss priorities. Unless overridden, Junos OS applies the default CoS to all interfaces. Junos OS provides multiple predefined BA classifier types, which the site can combine and supplement with custom CoS configuration as needed to achieve overall traffic classification goals.

ℹ️ Check
Review the switch configuration to verify that Class-of-Service (CoS) has been enabled. Ensure sufficient capacity is available for mission-critical traffic to enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies. By default, Junos implements a standard CoS (QoS) strategy. Although some devices implement different queues or queue numbers, generally there is at least a four-queue model with two active queues: 95 percent Best Effort (BE) and 5 percent Network Control (NC). Verify additional queues are configured to support the traffic priorities of the Combatant Commanders/Services/Agencies. The example CoS below adds a queue for one type of prioritized traffic. The example shows the interdependency of the classifiers, the schedulers, and the interfaces but the names, classifier code points, and scheduler rates are only examples. The names, code points, and rates must be appropriate for the target environment. Additional configuration is required for each type of prioritized traffic. Note: The example CoS names, scheduler rates, and DSCP values must not be considered requirements. The names, rates, and values must be appropriately configured for the target environment. user@host> show configuration class-of-service classifiers { dscp prioritized-traffic-classifier { import default; forwarding-class expedited-forwarding { loss-priority low code-points [ 101110 100100 ]; } } } interfaces { <interface> { scheduler-map prioritized-traffic-map; unit <logical unit> { classifiers { dscp prioritized-traffic-classifier; } } } <uplink interface> { scheduler-map prioritized-traffic-map; unit <logical unit> { classifiers { dscp prioritized-traffic-classifier; } } } scheduler-maps { prioritized-traffic-map { forwarding-class best-effort scheduler be-scheduler; forwarding-class expedited-forwarding scheduler ef-scheduler; forwarding-class network-control scheduler nc-scheduler; } } schedulers { be-scheduler { transmit-rate { remainder; } priority low; } ef-scheduler { shaping-rate percent 20; priority strict-high; } nc-scheduler { shaping-rate percent 5; priority strict-high; } } If the switch is not configured to implement a QoS policy, this is a finding.

ℹ️ Check

Review the switch configuration to verify that Class-of-Service (CoS) has been enabled. Ensure sufficient capacity is available for mission-critical traffic to enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies. By default, Junos implements a standard CoS (QoS) strategy. Although some devices implement different queues or queue numbers, generally there is at least a four-queue model with two active queues: 95 percent Best Effort (BE) and 5 percent Network Control (NC). Verify additional queues are configured to support the traffic priorities of the Combatant Commanders/Services/Agencies. The example CoS below adds a queue for one type of prioritized traffic. The example shows the interdependency of the classifiers, the schedulers, and the interfaces but the names, classifier code points, and scheduler rates are only examples. The names, code points, and rates must be appropriate for the target environment. Additional configuration is required for each type of prioritized traffic. Note: The example CoS names, scheduler rates, and DSCP values must not be considered requirements. The names, rates, and values must be appropriately configured for the target environment. user@host> show configuration class-of-service classifiers { dscp prioritized-traffic-classifier { import default; forwarding-class expedited-forwarding { loss-priority low code-points [ 101110 100100 ]; } } } interfaces { <interface> { scheduler-map prioritized-traffic-map; unit <logical unit> { classifiers { dscp prioritized-traffic-classifier; } } } <uplink interface> { scheduler-map prioritized-traffic-map; unit <logical unit> { classifiers { dscp prioritized-traffic-classifier; } } } scheduler-maps { prioritized-traffic-map { forwarding-class best-effort scheduler be-scheduler; forwarding-class expedited-forwarding scheduler ef-scheduler; forwarding-class network-control scheduler nc-scheduler; } } schedulers { be-scheduler { transmit-rate { remainder; } priority low; } ef-scheduler { shaping-rate percent 20; priority strict-high; } nc-scheduler { shaping-rate percent 5; priority strict-high; } } If the switch is not configured to implement a QoS policy, this is a finding.

✔️ Fix
Configure class-of-service (CoS): user@host> configure user@host# set class-of-service classifiers dscp <classifier name> import default user@host# set class-of-service classifiers dscp <classifier name> forwarding-class <req’d forwarding class name> loss-priority <low\|high> code-points <DSCP code point> user@host# set class-of-service classifiers dscp <classifier name> forwarding-class <req’d forwarding class name> loss-priority <low\|high> code-points <DSCP code point> (optional - only if multiple DSCP values are used) user@host# set class-of-service interfaces <interface name> scheduler-map <scheduler map name> user@host# set class-of-service interfaces <interface name> unit <unit number> classifiers dscp <classifier name> user@host# set class-of-service interfaces <uplink interface> scheduler-map <scheduler map name> user@host# set class-of-service interfaces <uplink interface> unit <unit number> classifiers dscp <classifier name> user@host# set class-of-service scheduler-maps <scheduler map name> forwarding-class best-effort scheduler <scheduler name> (e.g., be-scheduler) user@host# set class-of-service scheduler-maps <scheduler map name> forwarding-class <req’d forwarding class> scheduler <scheduler name> (e.g., ef-scheduler) user@host# set class-of-service scheduler-maps <scheduler map name> forwarding-class network-control scheduler <scheduler name> (e.g. nc-scheduler) user@host# set class-of-service schedulers <be-scheduler name> transmit-rate (exact <value> \| percent (0..100) \| remainder) user@host# set class-of-service schedulers <be-scheduler name> priority (high \| low \| medium-high \| medium-low \| strict-high) set class-of-service schedulers <ef-scheduler name> shaping-rate percent (0..100) user@host# set class-of-service schedulers <ef-scheduler name> priority (high \| low \| medium-high \| medium-low \| strict-high) user@host# set class-of-service schedulers <nc-scheduler name> shaping-rate percent (0..100) user@host# set class-of-service schedulers <nc-scheduler name> priority (high \| low \| medium-high \| medium-low \| strict-high) Note: The classifier method (ToS bit, DSCP marking, etc.) and values, interfaces, priorities, and rates must be appropriate for the target environment.

✔️ Fix

Configure class-of-service (CoS): user@host> configure user@host# set class-of-service classifiers dscp <classifier name> import default user@host# set class-of-service classifiers dscp <classifier name> forwarding-class <req’d forwarding class name> loss-priority <low|high> code-points <DSCP code point> user@host# set class-of-service classifiers dscp <classifier name> forwarding-class <req’d forwarding class name> loss-priority <low|high> code-points <DSCP code point> (optional - only if multiple DSCP values are used) user@host# set class-of-service interfaces <interface name> scheduler-map <scheduler map name> user@host# set class-of-service interfaces <interface name> unit <unit number> classifiers dscp <classifier name> user@host# set class-of-service interfaces <uplink interface> scheduler-map <scheduler map name> user@host# set class-of-service interfaces <uplink interface> unit <unit number> classifiers dscp <classifier name> user@host# set class-of-service scheduler-maps <scheduler map name> forwarding-class best-effort scheduler <scheduler name> (e.g., be-scheduler) user@host# set class-of-service scheduler-maps <scheduler map name> forwarding-class <req’d forwarding class> scheduler <scheduler name> (e.g., ef-scheduler) user@host# set class-of-service scheduler-maps <scheduler map name> forwarding-class network-control scheduler <scheduler name> (e.g. nc-scheduler) user@host# set class-of-service schedulers <be-scheduler name> transmit-rate (exact <value> | percent (0..100) | remainder) user@host# set class-of-service schedulers <be-scheduler name> priority (high | low | medium-high | medium-low | strict-high) set class-of-service schedulers <ef-scheduler name> shaping-rate percent (0..100) user@host# set class-of-service schedulers <ef-scheduler name> priority (high | low | medium-high | medium-low | strict-high) user@host# set class-of-service schedulers <nc-scheduler name> shaping-rate percent (0..100) user@host# set class-of-service schedulers <nc-scheduler name> priority (high | low | medium-high | medium-low | strict-high) Note: The classifier method (ToS bit, DSCP marking, etc.) and values, interfaces, priorities, and rates must be appropriate for the target environment.