What’s the best way to protect against DoS attacks that
try to take down your network? Layers at the perimeter, at zone borders,
and for critical devices!
This document is a streamlined checklist of pre-deployment,
deployment, and post-deployment best practices you can follow to
implement DoS and Zone Protection, including links to detailed configuration
information in the PAN-OS Adminstrator’s Guide.
A Denial-of-Service (DoS) attack attempts to make
a network device or resource unavailable to legitimate users by
disrupting services. These attacks usually come from the internet
but can come from misconfigured or compromised internal devices.
The typical method is to flood the target with resource requests
until the requests consume all of the target’s available resources—memory,
CPU cycles, and bandwidth—and the target becomes unavailable. Typical
targets are internet-facing devices users can access from outside
the corporate network, such as web servers and database servers.
As part of a layered approach to DoS protection, Palo Alto Networks
firewalls provide three DoS attack mitigation tools.
Zone Protection Profiles—Apply
only to new sessions in ingress zones and provide broad protection
against flood attacks by limiting the connections-per-second (CPS)
to the firewall, plus protection against reconnaissance (port scans
and host sweeps), packet-based attacks, and layer 2 protocol-based
Dos Protection Profiles and Policy
Rules—Provide granular protection of specific, critical devices
for new sessions. Classified policies protect individual devices
by limiting the CPS for a specific device or specific devices. Aggregate
policies limit the total CPS for a group of devices but don’t limit
the CPS for a particular device in the group to less than the total
allowed for the group, so one device may still receive the majority
of the connection requests.
Packet Buffer Protection—Protects
against single-session DoS attacks from existing sessions that attempt
to overwhelm the firewall’s packet buffer.