NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-5(3) — Detection and Monitoring
Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: {{ insert: param, sc-05.03_odp.01 }} ; and Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: {{ insert: param, sc-05.03_odp.02 }}.
Supplemental Guidance
Organizations consider the utilization and capacity of system resources when managing risk associated with a denial of service due to malicious attacks. Denial-of-service attacks can originate from external or internal sources. System resources that are sensitive to denial of service include physical disk storage, memory, and CPU cycles. Techniques used to prevent denial-of-service attacks related to storage utilization and capacity include instituting disk quotas, configuring systems to automatically alert administrators when specific storage capacity thresholds are reached, using file compression technologies to maximize available storage space, and imposing separate partitions for system and user data.
Practitioner Notes
You need to actively monitor for denial-of-service attacks and detect them early so you can respond before services go down completely.
Example 1: Configure your SIEM (Splunk, Sentinel) to alert on sudden traffic spikes — for example, if inbound connections per second exceed three times your normal baseline. Create a dashboard showing real-time traffic volume by source country and protocol.
Example 2: Enable NetFlow or sFlow on your core switches and send the data to a flow analyzer. Tools like SolarWinds NTA or ntopng can detect volumetric attacks in real time and automatically trigger mitigation rules on your upstream router.