DoS Protection Against Flooding of New Sessions
- (Required for single-session attack mitigation or attacks that have not triggered the DoS Protection policy threshold; optional for multiple-session attack mitigation)Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based on your network needs. You can specify any of the match criteria in a Security policy rule, such as source IP address.
- Configure a DoS Protection profile for flood protection.Because flood attacks can occur over multiple protocols, as a best practice, activate protection for all of the flood types in the DoS Protection profile.
- SelectandObjectsSecurity ProfilesDoS ProtectionAdda profileName.
- SelectClassifiedas theType.
- ForFlood Protection, select all types of flood protection:
- SYN Flood
- UDP Flood
- ICMP Flood
- ICMPv6 Flood
- Other IP Flood
- When you enableSYN Flood, select theActionthat occurs when theActivate Ratethreshold is exceeded:Random Early DroporSYN Cookies.
- (Optional) On each of the flood tabs, change the following thresholds to suit your environment:
The default threshold values in this step are only starting points and might not be appropriate for your network. You must analyze the behavior of your network to properly set initial threshold values.
- Alarm Rate (packets/s)—Specify the threshold rate (packets per second [pps]) above which a DoS alarm is generated. (Range is 0-2,000,000; default is 10,000.)
- Activate Rate (packets/s)—Specify the threshold rate (pps) above which a DoS response is activated. When theActivate Ratethreshold is reached,Random Early Dropoccurs. (Range is 0-2,000,000; default is 10,000.)
- Max Rate (packets/s)—Specify the threshold rate of incoming packets per second that the firewall allows. When the threshold is exceeded, new packets that arrive are dropped. (Range is 2-2,000,000; default is 40,000.)
- On each of the flood tabs, specify theBlock Duration(in seconds), which is the length of time the firewall blocks packets that match the DoS Protection policy rule that references this profile. Specify a value greater than zero. (Range is 1-21,600; default is 300.)Set a low Block Duration value if you are concerned that packets you incorrectly identified as attack traffic will be blocked unnecessarily.Set a high Block Duration value if you are more concerned about blocking volumetric attacks than you are about incorrectly blocking packets that are not part of an attack.
- Configure a DoS Protection policy rule that specifies the criteria for matching the incoming traffic.
- SelectandPoliciesDoS ProtectionAddaNameon theGeneraltab. The name is case-sensitive and can be a maximum of 31 characters, including letters, numbers, spaces, hyphens, and underscores.
- On theSourcetab, choose theTypeto be aZoneorInterface, and thenAddthe zone(s) or interface(s).
- (Optional) ForSource Address, selectAnyfor any incoming IP address to match the rule orAddan address object such as a geographical region.
- (Optional) ForSource User, selectanyor specify a user.
- (Optional) SelectNegateto match any sources except those you specify.
- (Optional) On theDestinationtab, choose theTypeto be aZoneorInterface, and thenAddthe destination zone(s) or interface(s). For example, enter the security zone you want to protect.
- (Optional) ForDestination Address, selectAnyor enter the IP address of the device you want to protect.
- (Optional) On theOption/Protectiontab,AddaService. Select a service or clickServiceand enter aName. SelectTCPorUDP. Enter aDestination Port. Not specifying a particular service allows the rule to match a flood of any protocol type without regard to an application-specific port.
- On theOption/Protectiontab, forAction, selectProtect.
- ForProfile, select the name of theDoS Protectionprofile you created.
- ForAddress, selectsource-ip-onlyorsrc-dest-ip-both, which determines the type of IP address to which the rule applies. Choose the setting based on how you want the firewall to identify offending traffic.
- Specifysource-ip-onlyif you want the firewall to classify only on the source IP address. Because attackers often test the entire network for hosts to attack,source-ip-onlyis the typical setting for a wider examination.
- Specifysrc-dest-ip-bothif you want to protect only against DoS attacks on the server that has a specific destination address and also ensure that every source IP address will not surpass a specific connections-per-second threshold to that server.
- Save the configuration.ClickCommit.
Recommended For You
Recommended videos not found.