Configure DoS Protection Against Flooding of New Sessions

  1. (Required for single-session attack mitigation or attacks that have not triggered the DoS Protection policy threshold; optional for multiple-session attack mitigation)
    Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based on your network needs. You can specify any of the match criteria in a Security policy rule, such as source IP address.
    This step is one of the steps typically performed to stop an existing attack. See Use the CLI to End a Single Attacking Session.
  2. Configure a DoS Protection profile for flood protection.
    Because flood attacks can occur over multiple protocols, as a best practice, activate protection for all of the flood types in the DoS Protection profile.
    1. Select
      Objects
      Security Profiles
      DoS Protection
      and
      Add
      a profile
      Name
      .
    2. Select
      Classified
      as the
      Type
      .
    3. For
      Flood Protection
      , select all types of flood protection:
      • SYN Flood
      • UDP Flood
      • ICMP Flood
      • ICMPv6 Flood
      • Other IP Flood
    4. When you enable
      SYN Flood
      , select the
      Action
      that occurs when the
      Activate Rate
      threshold is exceeded:
      Random Early Drop
      or
      SYN Cookies
      .
    5. (
      Optional
      ) On each of the flood tabs, change the following thresholds to suit your environment:
      • Alarm Rate (packets/s)
        —Specify the threshold rate (packets per second [pps]) above which a DoS alarm is generated. (Range is 0-2,000,000; default is 10,000.)
      • Activate Rate (packets/s)
        —Specify the threshold rate (pps) above which a DoS response is activated. When the
        Activate Rate
        threshold is reached,
        Random Early Drop
        occurs. (Range is 0-2,000,000; default is 10,000.)
      • Max Rate (packets/s)
        —Specify the threshold rate of incoming packets per second that the firewall allows. When the threshold is exceeded, new packets that arrive are dropped. (Range is 2-2,000,000; default is 40,000.)
      The default threshold values in this step are only starting points and might not be appropriate for your network. You must analyze the behavior of your network to properly set initial threshold values.
    6. On each of the flood tabs, specify the
      Block Duration
      (in seconds), which is the length of time the firewall blocks packets that match the DoS Protection policy rule that references this profile. Specify a value greater than zero. (Range is 1-21,600; default is 300.)
      Set a low Block Duration value if you are concerned that packets you incorrectly identified as attack traffic will be blocked unnecessarily.
      Set a high Block Duration value if you are more concerned about blocking volumetric attacks than you are about incorrectly blocking packets that are not part of an attack.
    7. Click
      OK
      .
  3. Configure a DoS Protection policy rule that specifies the criteria for matching the incoming traffic.
    1. Select
      Policies
      DoS Protection
      and
      Add
      a
      Name
      on the
      General
      tab. The name is case-sensitive and can be a maximum of 31 characters, including letters, numbers, spaces, hyphens, and underscores.
    2. On the
      Source
      tab, choose the
      Type
      to be a
      Zone
      or
      Interface
      , and then
      Add
      the zone(s) or interface(s).
    3. (
      Optional
      ) For
      Source Address
      , select
      Any
      for any incoming IP address to match the rule or
      Add
      an address object such as a geographical region.
    4. (
      Optional
      ) For
      Source User
      , select
      any
      or specify a user.
    5. (
      Optional
      ) Select
      Negate
      to match any sources except those you specify.
    6. (
      Optional
      ) On the
      Destination
      tab, choose the
      Type
      to be a
      Zone
      or
      Interface
      , and then
      Add
      the destination zone(s) or interface(s). For example, enter the security zone you want to protect.
    7. (
      Optional
      ) For
      Destination Address
      , select
      Any
      or enter the IP address of the device you want to protect.
    8. (
      Optional
      ) On the
      Option/Protection
      tab,
      Add
      a
      Service
      . Select a service or click
      Service
      and enter a
      Name
      . Select
      TCP
      or
      UDP
      . Enter a
      Destination Port
      . Not specifying a particular service allows the rule to match a flood of any protocol type without regard to an application-specific port.
    9. On the
      Option/Protection
      tab, for
      Action
      , select
      Protect
      .
    10. Select
      Classified
      .
    11. For
      Profile
      , select the name of the
      DoS Protection
      profile you created.
    12. For
      Address
      , select
      source-ip-only
      or
      src-dest-ip-both
      , which determines the type of IP address to which the rule applies. Choose the setting based on how you want the firewall to identify offending traffic.
      • Specify
        source-ip-only
        if you want the firewall to classify only on the source IP address. Because attackers often test the entire network for hosts to attack,
        source-ip-only
        is the typical setting for a wider examination.
      • Specify
        src-dest-ip-both
        if you want to protect only against DoS attacks on the server that has a specific destination address and also ensure that every source IP address will not surpass a specific connections-per-second threshold to that server.
    13. Click
      OK
      .
  4. Save the configuration.
    Click
    Commit
    .

Related Documentation