Configure DoS Protection Against Flooding of New Sessions

(Required for single-session attack mitigation or attacks that have not triggered the DoS Protection policy threshold; optional for multiple-session attack mitigation)
Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based on your network needs. You can specify any of the match criteria in a Security policy rule, such as source IP address.
This step is one of the steps typically performed to stop an existing attack. See Use the CLI to End a Single Attacking Session.
Components of a Security Policy Rule
Create a Security Policy Rule
Configure a DoS Protection profile for flood protection.
Because flood attacks can occur over multiple protocols, as a best practice, activate protection for all of the flood types in the DoS Protection profile.
Select
Objects
Security Profiles
DoS Protection
and
Add
a profile
Name
.
Select
Classified
as the
Type
.
For
Flood Protection
, select all types of flood protection:
SYN Flood
UDP Flood
ICMP Flood
ICMPv6 Flood
Other IP Flood
When you enable
SYN Flood
, select the
Action
that occurs when the
Activate Rate
threshold is exceeded:
Random Early Drop
or
SYN Cookies
.
(
Optional
) On each of the flood tabs, change the following thresholds to suit your environment:
Alarm Rate (packets/s)
—Specify the threshold rate (packets per second [pps]) above which a DoS alarm is generated. (Range is 0-2,000,000; default is 10,000.)
Activate Rate (packets/s)
—Specify the threshold rate (pps) above which a DoS response is activated. When the
Activate Rate
threshold is reached,
Random Early Drop
occurs. (Range is 0-2,000,000; default is 10,000.)
Max Rate (packets/s)
—Specify the threshold rate of incoming packets per second that the firewall allows. When the threshold is exceeded, new packets that arrive are dropped. (Range is 2-2,000,000; default is 40,000.)
The default threshold values in this step are only starting points and might not be appropriate for your network. You must analyze the behavior of your network to properly set initial threshold values.
On each of the flood tabs, specify the
Block Duration
(in seconds), which is the length of time the firewall blocks packets that match the DoS Protection policy rule that references this profile. Specify a value greater than zero. (Range is 1-21,600; default is 300.)
Set a low Block Duration value if you are concerned that packets you incorrectly identified as attack traffic will be blocked unnecessarily.
Set a high Block Duration value if you are more concerned about blocking volumetric attacks than you are about incorrectly blocking packets that are not part of an attack.
Click
OK
.
Configure a DoS Protection policy rule that specifies the criteria for matching the incoming traffic.
Select
Policies
DoS Protection
and
Add
a
Name
on the
General
tab. The name is case-sensitive and can be a maximum of 31 characters, including letters, numbers, spaces, hyphens, and underscores.
On the
Source
tab, choose the
Type
to be a
Zone
or
Interface
, and then
Add
the zone(s) or interface(s).
(
Optional
) For
Source Address
, select
Any
for any incoming IP address to match the rule or
Add
an address object such as a geographical region.
(
Optional
) For
Source User
, select
any
or specify a user.
(
Optional
) Select
Negate
to match any sources except those you specify.
(
Optional
) On the
Destination
tab, choose the
Type
to be a
Zone
or
Interface
, and then
Add
the destination zone(s) or interface(s). For example, enter the security zone you want to protect.
(
Optional
) For
Destination Address
, select
Any
or enter the IP address of the device you want to protect.
(
Optional
) On the
Option/Protection
tab,
Add
a
Service
. Select a service or click
Service
and enter a
Name
. Select
TCP
or
UDP
. Enter a
Destination Port
. Not specifying a particular service allows the rule to match a flood of any protocol type without regard to an application-specific port.
On the
Option/Protection
tab, for
Action
, select
Protect
.
Select
Classified
.
For
Profile
, select the name of the
DoS Protection
profile you created.
For
Address
, select
source-ip-only
or
src-dest-ip-both
, which determines the type of IP address to which the rule applies. Choose the setting based on how you want the firewall to identify offending traffic.
Specify
source-ip-only
if you want the firewall to classify only on the source IP address. Because attackers often test the entire network for hosts to attack,
source-ip-only
is the typical setting for a wider examination.
Specify
src-dest-ip-both
if you want to protect only against DoS attacks on the server that has a specific destination address and also ensure that every source IP address will not surpass a specific connections-per-second threshold to that server.
Click
OK
.
Save the configuration.
Click
Commit
.