Focus

End a Single Session DoS Attack

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Configure DoS Protection Against Flooding of New Sessions

Identify Sessions That Use Too Much of the On-Chip Packet Descriptor

End a Single Session DoS Attack

To mitigate a single-session DoS attack, you would still Configure DoS Protection Against Flooding of New Sessions in advance. At some point after you configure the feature, a session might be established before you realize a DoS attack (from the IP address of that session) is underway. When you see a single-session DoS attack, perform the following task to end the session, so that subsequent connection attempts from that IP address trigger the DoS protection against flooding of new sessions.

Identify the source IP address that is causing the attack.
For example, use the firewall Packet Capture feature with a destination filter to collect a sample of the traffic going to the destination IP address. Alternatively, use the ACC to filter on destination address to view the activity to the target host being attacked.
Create a DoS Protection policy rule that will block the attacker’s IP address after the attack thresholds are exceeded.
Create a Security policy rule to deny the source IP address and its attack traffic.
End any existing attacks from the attacking source IP address by executing the clear session all filter source <ip-address> operational command.
Alternatively, if you know the session ID, you can execute the clear session id <value> command to end that session only.

If you use the clear session all filter source <ip-address> command, all sessions matching the source IP address are discarded, which can include both good and bad sessions.

After you end the existing attack session, any subsequent attempts to form an attack session are blocked by the Security policy. The DoS Protection policy counts all connection attempts toward the thresholds. When the Max Rate threshold is exceeded, the source IP address is blocked for the Block Duration, as described in Multiple-Session DoS Attack.

Configure DoS Protection Against Flooding of New Sessions

Identify Sessions That Use Too Much of the On-Chip Packet Descriptor

Next-Generation Firewall Docs

End a Single Session DoS Attack

Next-Generation Firewall Docs

End a Single Session DoS Attack

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner