Configure DoS Protection Against Flooding of New Sessions

  1. Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based on your network needs. You can specify any of the match criteria in a Security policy rule, such as source IP address. (
    Required for single-session attack mitigation or attacks that have not triggered the DoS Protection policy threshold; optional for multiple-session attack mitigation
    ).
    This step is one of the steps typically performed to stop an existing attack. See End a Single Session DoS Attack.
  2. Configure a DoS Protection profile for flood protection.
    Because flood attacks can occur over multiple protocols, as a best practice, activate protection for all of the flood types in the DoS Protection profile.
    1. Select
      Objects
      Security Profiles
      DoS Protection
      and
      Add
      a profile
      Name
      .
    2. Select
      Classified
      as the
      Type
      .
    3. For
      Flood Protection
      , select all types of flood protection:
      • SYN Flood
      • UDP Flood
      • ICMP Flood
      • ICMPv6 Flood
      • Other IP Flood
    4. When you enable
      SYN Flood
      , select the
      Action
      that occurs when connections per second (cps) exceed the
      Activate Rate
      threshold:
      1. Random Early Drop
        —The firewall uses an algorithm to progressively start dropping that type of packet. If the attack continues, the higher the incoming cps rate (above the
        Activate Rate
        ) gets, the more packets the firewall drops. The firewall drops packets until the incoming cps rate reaches the
        Max Rate
        , at which point the firewall drops all incoming connections.
        Random Early Drop
        (RED) is the default action for
        SYN Flood
        , and the only action for
        UDP Flood
        ,
        ICMP Flood
        ,
        ICMPv6 Flood
        , and
        Other IP Flood
        . RED is more efficient than SYN Cookies and can handles larger attacks, but doesn’t discern between good and bad traffic.
      2. SYN Cookies
        —Rather than immediately sending the SYN to the server, the firewall generates a cookie (on behalf of the server) to send in the SYN-ACK to the client. The client responds with its ACK and the cookie; upon this validation the firewall then sends the SYN to the server. The
        SYN Cookies
        action requires more firewall resources than
        Random Early Drop
        ; it’s more discerning because it affects bad traffic.
    5. (
      Optional
      ) On each of the flood tabs, change the following thresholds to suit your environment:
      • Alarm Rate (connections/s)
        —Specify the threshold rate (cps) above which a DoS alarm is generated. (Range is 0-2,000,000; default is 10,000.)
      • Activate Rate (connections/s)
        —Specify the threshold rate (cps) above which a DoS response is activated. When the
        Activate Rate
        threshold is reached,
        Random Early Drop
        occurs. Range is 0-2,000,000; default is 10,000. (For SYN Flood, you can select the action that occurs.)
      • Max Rate (connections/s)
        —Specify the threshold rate of incoming connections per second that the firewall allows. When the threshold is exceeded, new connections that arrive are dropped. (Range is 2-2,000,000; default is 40,000.)
      The default threshold values in this step are only starting points and might not be appropriate for your network. You must analyze the behavior of your network to properly set initial threshold values.
    6. On each of the flood tabs, specify the
      Block Duration
      (in seconds), which is the length of time the firewall blocks packets that match the DoS Protection policy rule that references this profile. Specify a value greater than zero. (Range is 1-21,600; default is 300.)
      Set a low
      Block Duration
      value if you are concerned that packets you incorrectly identify as attack traffic will be blocked unnecessarily.
      Set a high
      Block Duration
      value if you are more concerned about blocking volumetric attacks than you are about incorrectly blocking packets that aren’t part of an attack.
    7. Click
      OK
      .
  3. Configure a DoS Protection policy rule that specifies the criteria for matching the incoming traffic.
    The firewall resources are finite, so you wouldn’t want to classify using source address on an internet-facing zone because there can be an enormous number of unique IP addresses that match the DoS Protection policy rule. That would require many counters and the firewall would run out of tracking resources. Instead, define a DoS Protection policy rule that classifies using the destination address (of the server you are protecting).
    1. Select
      Policies
      DoS Protection
      and
      Add
      a
      Name
      on the
      General
      tab. The name is case-sensitive and can be a maximum of 31 characters, including letters, numbers, spaces, hyphens, and underscores.
    2. On the
      Source
      tab, choose the
      Type
      to be a
      Zone
      or
      Interface
      , and then
      Add
      the zone(s) or interface(s). Choose zone or interface depending on your deployment and what you want to protect. For example, if you have only one interface coming into the firewall, choose Interface.
    3. (
      Optional
      ) For
      Source Address
      , select
      Any
      for any incoming IP address to match the rule or
      Add
      an address object such as a geographical region.
    4. (
      Optional
      ) For
      Source User
      , select
      any
      or specify a user.
    5. (
      Optional
      ) Select
      Negate
      to match any sources except those you specify.
    6. (
      Optional
      ) On the
      Destination
      tab, choose the
      Type
      to be a
      Zone
      or
      Interface
      , and then
      Add
      the destination zone(s) or interface(s). For example, enter the security zone you want to protect.
    7. (
      Optional
      ) For
      Destination Address
      , select
      Any
      or enter the IP address of the device you want to protect.
    8. (
      Optional
      ) On the
      Option/Protection
      tab,
      Add
      a
      Service
      . Select a service or click
      Service
      and enter a
      Name
      . Select
      TCP
      or
      UDP
      . Enter a
      Destination Port
      . Not specifying a particular service allows the rule to match a flood of any protocol type without regard to an application-specific port.
    9. On the
      Option/Protection
      tab, for
      Action
      , select
      Protect
      .
    10. Select
      Classified
      .
    11. For
      Profile
      , select the name of the
      DoS Protection
      profile you created.
    12. For
      Address
      , select
      source-ip-only
      or
      src-dest-ip-both
      , which determines the type of IP address to which the rule applies. Choose the setting based on how you want the firewall to identify offending traffic:
      • Specify
        source-ip-only
        if you want the firewall to classify only on the source IP address. Because attackers often test the entire network for hosts to attack,
        source-ip-only
        is the typical setting for a wider examination.
      • Specify
        src-dest-ip-both
        if you want to protect against DoS attacks only on the server that has a specific destination address, and you also want to ensure that every source IP address won’t surpass a specific cps threshold to that server.
    13. Click
      OK
      .
  4. Commit.
    Click
    Commit
    .

Related Documentation