Network of IT services must be hardened against Distributed Denial of Service (DDoS) attacks.
Services are configured to avoid participating in DDoS attacks.
There is a documented procedure in the event of high network load (in the case of DDoS attacks for example).
A procedure is in place to throttle traffic from non-critical sources, to ensure continued minimal essential functioning of the service.
Specification
The (D)DoS protection of a preferred supplier is used.
No open DNS resolvers, NTP amplification.
Blocking of broadcasting requests to internal IP addresses originating outside of the network.
Routers with Access Control Lists.
Configure BPDU guard against Spanning Tree Attacks.
Rate-limiting is applied either consistently or dynamically to substantial and potentially malicious traffic.
Integrate Quality of Service into network design.
ISO 27001 & 27002:2022
A8.20,
A8.21,
A8.22
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.11 Network security