@@ -541,8 +541,9 @@ These are example data for which public statistics are available [i.17].
For low risk:
***[REQ-HA-0]**Expected availability shall be defined for each relevant system component.
***[REQ-HA-0]**The expected availability shall be defined for each relevant system component.
***[REQ-HA-1]** System updates and changes shall be included in the availability time definition.
***[REQ-HA-6]** The product shall emit security events about detected issues that affects the high availability.
For medium risk:
@@ -554,8 +555,15 @@ For medium risk:
For high risk:
DDoS mitigations:
* port switching
* traffic redirections
* service termination for a recommended and configurable time
* disabling of the affected ports and interfaces for a configurable time
***[REQ-HA-4]** The prodct shall implement coordinated brute‑force and overload protection mechanisms that not only detect excessive authentication attempts or inbound traffic surges but also enforce active mitigation actions including, but not limited to connection throttling, temporary IP blocking, message buffering, QoS parameterisation.
***[REQ-HA-5]** The product shall implement recovery or failover to mitigate overload attempts.
***[REQ-HA-8]** If the product can be exposed to DDoS, the product shall implement DDoS mitigations like listed above.