Create Internet-to-Data-Center DoS Protection Policy Rules
Protect your data center web servers and the firewall from DoS attacks to prevent attackers from taking down your data center network.
One method attackers use to disrupt a network is a Denial-of-Service (DoS) attack intended to overwhelm targeted systems that are connected to the internet, take them down, and make them unavailable to all of your legitimate users and services. Data center web servers are an attractive target because taking them down prevents most legitimate access to the data center.
Protect the data center web server tier by applying a classified DoS Protection Policy to internet traffic destined for those servers. A classified DoS Protection policy applies a classified DoS Protection Profile that controls the number of incoming connections to the traffic defined in the policy.
In addition, configure packet buffer protection for each zone to protect the firewall from single-session DOS attacks that can overwhelm the firewall’s packet buffer and cause legitimate traffic to drop, especially on firewalls that protect critical services.
- Create a classified DoS Protection Profile that
protects data center web servers from DoS attacks by limiting the
number of connections-per-second to prevent a SYN flood attack.This DoS Protection profile limits the number of connections-per-second (CPS) for the traffic defined in the DoS Protection Policy rules to which you attach the profile, to prevent a DoS attack from taking down your web servers. The profile sets progressive CPS thresholds to alert you, to activate Random Early Drop (RED) packet drop, and to block new connections, as well as a duration during which new connections remain blocked. The CPS thresholds you configure to protect your data center web servers depends on the capacity of your web servers.To create this profile:
If you don’t use protocols such as UDP or other IP protocols, restrict them using a combination of Security policy rules to whitelist applications and Zone Protection Profiles to block unused protocols by setting flood protection CPS to zero packets for protocols you want to block.
- At ObjectsSecurity ProfilesDoS Protection, Add a classified DoS Protection Profile.
- Name the profile, select Classified as the profile Type, set the CPS values to alert (Alarm Rate), activate RED (Activate Rate), begin blocking new sessions (Max Rate), and set the amount of time in seconds to block new sessions (Block Duration) when the CPS rate reaches the Max Rate threshold.
- Create a classified DoS Protection policy rule to define
the servers you want to protect from a DoS attack and attach the
DoS Protection profile to it.This rule prevents a SYN flood attack from taking down your data center web server tier. This example applies the classified DoS Protection profile to external traffic allowed to connect to the web server tier.To create this rule:
To protect against SYN flood attacks from internal sources, create a separate DoS Protection policy rule that specifies your internal zones as the source zone instead of L3-External. Creating separate rules for external and internal attack sources provides separate reporting that makes investigating attack attempts easier.
- To apply DoS protection to traffic destined for the web server tier, the DoS Protection policy must apply to the same traffic as the Security Policy rule that allows the traffic. In this example, this DoS rule protects the traffic we allowed in Create Internet-to-Data-Center Application Whitelist Rules.
- On the Option/Protection tab, specify the web services (service-http and service-https), set the Action to protect to apply the DoS Protection profile’s SYN flood thresholds to the traffic, set the Log Forwarding method (assuming that you have configured log forwarding), and select the classified DoS Protection profile we configured for the traffic in the preceding step (Internet to DC).
Objects > Security Profiles > DoS Protection
Objects > Security Profiles > DoS Protection DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile ...
Deploy DoS and Zone Protection Using Best Practices
DoS and Zone Protection deployment best practices help to ensure a smooth rollout that protects your network and your most critical servers. ...
DoS Protection Policy Rules
Specify which resources to protect from DoS attacks and how to protect them. ...
Zone Defense Tools
Use a layered approach with multiple levels of protection to defend your network against DoS attacks. ...
DoS Protection Profiles
Protect groups of devices and critical individual devices from flood attacks, and limit the maximum concurrent sessions for resources. ...
DoS and Zone Protection Best Practices
What’s the best way to protect against DoS attacks that try to take down your network? Layers at the perimeter, at zone borders, and for ...
Plan DoS and Zone Protection Best Practice Deployment
Before deploying DoS protection, consider the types of DoS attacks you may face, take a layered approach, and understand normal and peak CPS rates of ...
DoS Protection Profiles and Policy Rules
Protect groups of similar resources and critical individual resources against session floods. ...
DoS Protection Option/Protection Tab
DoS Protection Option/Protection Tab Select the Option/Protection tab to configure options for the DoS Protection policy rule, such as the type of service to which ...