Configure DoS Protection Against Flooding of New Sessions
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure DoS Protection Against Flooding of New Sessions
Before you configure a DoS protection policy
rule, make sure you understand that the set of IPv4 addresses is
treated as a subset of the set of IPv6 addresses, as described in
detail in Policy.
- Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based on your network needs. You can specify any of the match criteria in a Security policy rule, such as source IP address. (Required for single-session attack mitigation or attacks that have not triggered the DoS Protection policy threshold; optional for multiple-session attack mitigation).This step is one of the steps typically performed to stop an existing attack. See End a Single Session DoS Attack.Configure a DoS Protection profile for flood protection.Because flood attacks can occur over multiple protocols, as a best practice, activate protection for all of the flood types in the DoS Protection profile.
- Select ObjectsSecurity ProfilesDoS Protection and Add a profile Name.Select Classified as the Type.For Flood Protection, select all types of flood protection:
- SYN Flood
- UDP Flood
- ICMP Flood
- ICMPv6 Flood
- Other IP Flood
When you enable SYN Flood, select the Action that occurs when connections per second (cps) exceed the Activate Rate threshold:- Random Early Drop—The firewall uses an algorithm to progressively start dropping that type of packet. If the attack continues, the higher the incoming cps rate (above the Activate Rate) gets, the more packets the firewall drops. The firewall drops packets until the incoming cps rate reaches the Max Rate, at which point the firewall drops all incoming connections. Random Early Drop (RED) is the default action for SYN Flood, and the only action for UDP Flood, ICMP Flood, ICMPv6 Flood, and Other IP Flood. RED is more efficient than SYN Cookies and can handles larger attacks, but doesn’t discern between good and bad traffic.
- SYN Cookies—Rather than immediately sending the SYN to the server, the firewall generates a cookie (on behalf of the server) to send in the SYN-ACK to the client. The client responds with its ACK and the cookie; upon this validation the firewall then sends the SYN to the server. The SYN Cookies action requires more firewall resources than Random Early Drop; it’s more discerning because it affects bad traffic.
(Optional) On each of the flood tabs, change the following thresholds to suit your environment:- Alarm Rate (connections/s)—Specify the threshold rate (cps) above which a DoS alarm is generated. (Range is 0-2,000,000; default is 10,000.)
- Activate Rate (connections/s)—Specify the threshold rate (cps) above which a DoS response is activated. When the Activate Rate threshold is reached, Random Early Drop occurs. Range is 0-2,000,000; default is 10,000. (For SYN Flood, you can select the action that occurs.)
- Max Rate (connections/s)—Specify the threshold rate of incoming connections per second that the firewall allows. When the threshold is exceeded, new connections that arrive are dropped. (Range is 2-2,000,000; default is 40,000.)
The default threshold values in this step are only starting points and might not be appropriate for your network. You must analyze the behavior of your network to properly set initial threshold values.On each of the flood tabs, specify the Block Duration (in seconds), which is the length of time the firewall blocks packets that match the DoS Protection policy rule that references this profile. Specify a value greater than zero. (Range is 1-21,600; default is 300.)Set a low Block Duration value if you are concerned that packets you incorrectly identify as attack traffic will be blocked unnecessarily.Set a high Block Duration value if you are more concerned about blocking volumetric attacks than you are about incorrectly blocking packets that aren’t part of an attack.Click OK.Configure a DoS Protection policy rule that specifies the criteria for matching the incoming traffic.The firewall resources are finite, so you wouldn’t want to classify using source address on an internet-facing zone because there can be an enormous number of unique IP addresses that match the DoS Protection policy rule. That would require many counters and the firewall would run out of tracking resources. Instead, define a DoS Protection policy rule that classifies using the destination address (of the server you are protecting).- Select PoliciesDoS Protection and Add a Name on the General tab. The name is case-sensitive and can be a maximum of 31 characters, including letters, numbers, spaces, hyphens, and underscores.On the Source tab, choose the Type to be a Zone or Interface, and then Add the zone(s) or interface(s). Choose zone or interface depending on your deployment and what you want to protect. For example, if you have only one interface coming into the firewall, choose Interface.(Optional) For Source Address, select Any for any incoming IP address to match the rule or Add an address object such as a geographical region.(Optional) For Source User, select any or specify a user.(Optional) Select Negate to match any sources except those you specify.(Optional) On the Destination tab, choose the Type to be a Zone or Interface, and then Add the destination zone(s) or interface(s). For example, enter the security zone you want to protect.(Optional) For Destination Address, select Any or enter the IP address of the device you want to protect.(Optional) On the Option/Protection tab, Add a Service. Select a service or click Service and enter a Name. Select TCP or UDP. Enter a Destination Port. Not specifying a particular service allows the rule to match a flood of any protocol type without regard to an application-specific port.On the Option/Protection tab, for Action, select Protect.Select Classified.For Profile, select the name of the DoS Protection profile you created.For Address, select source-ip-only or src-dest-ip-both, which determines the type of IP address to which the rule applies. Choose the setting based on how you want the firewall to identify offending traffic:
- Specify source-ip-only if you want the firewall to classify only on the source IP address. Because attackers often test the entire network for hosts to attack, source-ip-only is the typical setting for a wider examination.
- Specify src-dest-ip-both if you want to protect against DoS attacks only on the server that has a specific destination address, and you also want to ensure that every source IP address won’t surpass a specific cps threshold to that server.
Click OK.Commit.Click Commit.