Create Internet-to-Data-Center DoS Protection Policy Rules
Protect your data center web servers and the firewall from DoS attacks to prevent attackers from taking down your data center network.
One method attackers use to disrupt a network is a Denial-of-Service (DoS) attack intended to overwhelm targeted systems that are connected to the internet, take them down, and make them unavailable to all of your legitimate users and services. Data center web servers are an attractive target because taking them down prevents most legitimate access to the data center.
Protect the data center web server tier by applying a classified DoS Protection Policy to internet traffic destined for those servers. A classified DoS Protection policy applies a classified DoS Protection Profile that controls the number of incoming connections to the traffic defined in the policy.
In addition, configure packet buffer protection for each zone to protect the firewall from single-session DOS attacks that can overwhelm the firewall’s packet buffer and cause legitimate traffic to drop, especially on firewalls that protect critical services.
- Create a classified DoS Protection Profile that
protects data center web servers from DoS attacks by limiting the
number of connections-per-second to prevent a SYN flood attack.This DoS Protection profile limits the number of connections-per-second (CPS) for the traffic defined in the DoS Protection Policy rules to which you attach the profile, to prevent a DoS attack from taking down your web servers. The profile sets progressive CPS thresholds to alert you, to activate Random Early Drop (RED) packet drop, and to block new connections, as well as a duration during which new connections remain blocked. The CPS thresholds you configure to protect your data center web servers depends on the capacity of your web servers.To create this profile:
If you don’t use protocols such as UDP or other IP protocols, restrict them using a combination of Security policy rules to whitelist applications and Zone Protection Profiles to block unused protocols by setting flood protection CPS to zero packets for protocols you want to block.
- At ObjectsSecurity ProfilesDoS Protection, Add a classified DoS Protection Profile.
- Name the profile, select Classified for the profile Type, set the CPS values to alert (Alarm Rate), activate RED (Activate Rate), and begin blocking new sessions (Max Rate), and set the amount of time in seconds to block new sessions (Block Duration) when the CPS rate reaches the Max Rate threshold.
- Create a classified DoS Protection policy rule to define
the servers you want to protect from a DoS attack and attach the
DoS Protection profile to it.This rule prevents a SYN flood attack from taking down your data center web server tier. This example applies the classified DoS Protection profile to the external traffic allowed to connect to the web server tier.To create this rule:
To protect against SYN flood attacks from internal sources, create a separate DoS Protection policy rule that specifies your internal zones as the source zone instead of L3-External. Creating separate rules for external and internal attack sources provides separate reporting that makes investigating attack attempts easier.
- To apply DoS protection to traffic destined for the data center web server tier, the DoS Protection policy must apply to the same traffic as the Security Policy rule that allows the traffic. In this example, this DoS rule protects the traffic we allowed in Create Internet-to-Data-Center Application Whitelist Rules.
- On the Option/Protection tab, specify the web services (service-http and service-https), set the Action to protect to apply the DoS Protection profile’s SYN flood thresholds to the traffic, set the Log Forwarding method (assuming that you have configured log forwarding), and select the classified DoS Protection profile we configured for the traffic in the preceding step (Internet to DC).
DoS Protection Profiles
DoS Protection Profiles When you create DoS protection policy rules, you apply DoS protection profiles to the policy rules if the rules have an action ...
DoS Protection Profiles and Policy Rules
DoS Protection Profiles and Policy Rules DoS protection profiles and DoS protection policy rules combine to protect specific areas of your network against packet flood ...
Objects > Security Profiles > DoS Protection
Objects > Security Profiles > DoS Protection DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile ...
Configure DoS Protection Against Flooding of New Sessions
Configure DoS Protection Against Flooding of New Sessions Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based ...
DoS Protection Policy Rules
DoS Protection Policy Rules DoS protection policy rules provide granular matching criteria so that you have flexibility in defining what you want to protect: Source ...
Define the Initial Internet-to-Data-Center Traffic Security...
Define who can access applications and devices in your data center from the internet. ...
DoS Protection Against Flooding of New Sessions
DoS Protection Against Flooding of New Sessions DoS protection against flooding of new sessions is beneficial against high-volume single-session and multiple-session attacks. In a single-session ...
DoS Protection Option/Protection Tab
DoS Protection Option/Protection Tab Select the Option/Protection tab to configure options for the DoS Protection policy rule, such as the type of service (http or ...
Deploy Data Center Best Practices
If you’re already familiar with Palo Alto Networks’ platform, this checklist streamlines deploying security best practices in your data center to safeguard your most valuable ...