Classified Versus Aggregate DoS Protection
Protect groups of devices with aggregate DoS protection
and protect critical individual devices with classified DoS protection.
Aggregate—Sets thresholds that
apply to the entire group of devices specified in a DoS Protection
policy rule instead of to each individual device, so one device
could receive the majority of the allowed connection traffic. For
example, a Max Rate of 20,000 CPS means the
total CPS for the group is 20,000, and an individual device can
receive up to 20,000 CPS if other devices don’t have connections.
Aggregate DoS Protection policies provide another layer of broad
protection (after your dedicated DDoS device at the internet perimeter
and Zone Protection profiles) for a particular group of critical
devices when you want to apply extra constraints on specific subnets,
users, or services.
Classified—Sets flood thresholds that
apply to each individual device specified in a DoS Protection policy
rule. For example, if you set an Max Rate of
5,000 CPS, each device specified in the rule can accept up to 5,000
CPS before it drops new connections. If you apply a classified DoS
Protection policy rule to more than one device, the devices governed
by the rule should be similar in terms of capacity and how you want
to control their CPS rates because classified thresholds apply to
each individual device. Classified profiles protect individual critical
resources.
When you configure a DoS Protection policy rule
with a classified DoS Protection profile (),
use the Address field to specify whether
incoming connections count toward the profile thresholds based on
matching the source-ip-only, destination-ip-only,
or scr-dest-ip-both (the firewall counts
both the source and the destination IP addresses matches toward
the thresholds). Counters consume resources, so the way you count
address matches affects firewall resource consumption. You can use
classified DoS protection to:
Protect critical individual
devices, especially servers that users access from the internet
and are often attack targets, such as web servers, database servers,
and DNS servers. Set appropriate flood and resource protection thresholds in
a classified DoS Protection profile. Create a DoS Protection policy
rule that applies the profile to each server’s IP address by adding
the IP addresses as the rule’s destination criteria, and set the Address to destination-ip-only.
Do
not use source-IP-only or src-dest-ip-both classification for
internet-facing zones in classified DoS Protection policy rules
because the firewall doesn’t have the capacity to store counters
for every possible IP address on the internet. Increment the threshold
counter for source IPs only for internal zone or same-zone rules.
In perimeter zones, use destination-ip-only.
Monitor the CPS rate for a suspect host or group of hosts
(the zone that contains the hosts cannot be internet-facing). Set
an appropriate alarm threshold in a classified DoS Protection profile
to notify you if a host initiates an unusually large number of connections.
Create a DoS Protection policy rule that applies the profile to
the individual source or source address group and set the Address to source-ip-only.
Investigate hosts that initiate enough new connections to set off
the alarm.
How you configure the Address (source-ip-only, destination-ip-only,
or src-dest-ip-both) for classified profiles
depends on your DoS protection goals, what you are protecting, and
whether the protected device(s) are in internet-facing zones.
The firewall uses more resources to track src-dest-ip-both as
the Address than to track source-IP-only or destination-ip-only because
the counters consume resources for both the source and destination
IP addresses instead of just one of the two.
If you apply both an aggregate and a classified DoS Protection
profile to the same DoS Protection policy rule, the firewall applies the
aggregate profile first and then applies the classified profile
if needed. For example, we protect a group of five web servers with both
types of profiles in a DoS Protection policy rule. The aggregate
profile configuration drops new connections when the combined total
for the group reaches a Max Rate of 25,000
CPS. The classified profile configuration drops new connections to
any individual web server in the group when it reaches a Max
Rate of 6,000 CPS. There are three scenarios where new
connection traffic crosses Max Rate thresholds:
The new CPS rate exceeds the aggregate Max
Rate but doesn’t exceed the classified Max
Rate. In this scenario, the firewall applies the aggregate
profile and blocks all new connections for the configured Block
Duration.
The new CPS rate doesn’t exceed the aggregate Max
Rate, but the CPS to one of the web servers exceeds
the classified Max Rate. In this scenario,
the firewall checks the aggregate profile and finds that the rate
for the group is less than 25,000 CPS, so the firewall doesn’t block
new connections based on that. Next, the firewall checks the classified
profile and finds that the rate for a particular server exceeds
6,000 CPS. The firewall applies the classified profile and blocks
new connections to that particular server for the configured Block
Duration. Because the other servers in the group are within the
classified profile’s Max Rate, their traffic
is not affected.
The new CPS rate exceeds the aggregate Max Rate and
also exceeds the classified Max Rate for
one of the web servers. In this scenario, the firewall checks the
aggregate profile and finds that the rate for the group exceeds
25,000 CPS, so the firewall blocks new connections to limit the
group’s total CPS. The firewall then checks the classified profile
and finds that the rate for a particular server exceeds 6,000 CPS
(so the aggregate profile enforced the group’s combined limit, but
that wasn’t enough to protect this particular server). The firewall
applies the classified profile and blocks new connections to that
particular server for the configured Block Duration. Because the
other servers in the group are within the classified profile’s Max
Rate, their traffic is not affected.
If you want both an aggregate and a classified DoS Protection
profile to apply to the same traffic, you must apply both profiles
to the same DoS Protection policy rule. If you apply the aggregate
profile to one rule and the classified profile to a different rule,
even if they specify exactly the same traffic, the firewall can
apply only one profile because when the traffic matches the first
DoS Protection policy rule, the firewall executes the Action specified
in that rule and doesn’t compare to the traffic to any subsequent
rules, so the traffic never matches the second rule and the firewall
can’t apply its action. (This is the same way that Security policy
rules work.)