Commit 64a2f6d6 authored by Santeri Toikka's avatar Santeri Toikka
Browse files

Added mitigations for DDoS

Closes #173
parent 6cdbfafa
Loading
Loading
Loading
Loading
+9 −1
Original line number Diff line number Diff line
@@ -541,8 +541,9 @@ These are example data for which public statistics are available [i.17].

For low risk:

* **[REQ-HA-0]** Expected availability shall be defined for each relevant system component.
* **[REQ-HA-0]** The expected availability shall be defined for each relevant system component.
* **[REQ-HA-1]** System updates and changes shall be included in the availability time definition.
* **[REQ-HA-6]** The product shall emit security events about detected issues that affects the high availability.

For medium risk:

@@ -554,8 +555,15 @@ For medium risk:

For high risk:

DDoS mitigations:
* port switching
* traffic redirections
* service termination for a recommended and configurable time
* disabling of the affected ports and interfaces for a configurable time

* **[REQ-HA-4]** The prodct shall implement coordinated brute‑force and overload protection mechanisms that not only detect excessive authentication attempts or inbound traffic surges but also enforce active mitigation actions including, but not limited to connection throttling, temporary IP blocking, message buffering, QoS parameterisation.
* **[REQ-HA-5]** The product shall implement recovery or failover to mitigate overload attempts.
* **[REQ-HA-8]** If the product can be exposed to DDoS, the product shall implement DDoS mitigations like listed above.

# 6 Conformity assessments and tests