Configure DoS Protection Against Flooding of New Sessions
- Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based on your network needs. You can specify any of the match criteria in a Security policy rule, such as source IP address. (Required for single-session attack mitigation or attacks that have not triggered the DoS Protection policy threshold; optional for multiple-session attack mitigation).
- Configure a DoS Protection profile for flood protection.Because flood attacks can occur over multiple protocols, as a best practice, activate protection for all of the flood types in the DoS Protection profile.
- SelectandObjectsSecurity ProfilesDoS ProtectionAdda profileName.
- SelectClassifiedas theType.
- ForFlood Protection, select all types of flood protection:
- SYN Flood
- UDP Flood
- ICMP Flood
- ICMPv6 Flood
- Other IP Flood
- When you enableSYN Flood, select theActionthat occurs when connections per second (cps) exceed theActivate Ratethreshold:
- Random Early Drop—The firewall uses an algorithm to progressively start dropping that type of packet. If the attack continues, the higher the incoming cps rate (above theActivate Rate) gets, the more packets the firewall drops. The firewall drops packets until the incoming cps rate reaches theMax Rate, at which point the firewall drops all incoming connections.Random Early Drop(RED) is the default action forSYN Flood, and the only action forUDP Flood,ICMP Flood,ICMPv6 Flood, andOther IP Flood. RED is more efficient than SYN Cookies and can handles larger attacks, but doesn’t discern between good and bad traffic.
- SYN Cookies—Rather than immediately sending the SYN to the server, the firewall generates a cookie (on behalf of the server) to send in the SYN-ACK to the client. The client responds with its ACK and the cookie; upon this validation the firewall then sends the SYN to the server. TheSYN Cookiesaction requires more firewall resources thanRandom Early Drop; it’s more discerning because it affects bad traffic.
- (Optional) On each of the flood tabs, change the following thresholds to suit your environment:
The default threshold values in this step are only starting points and might not be appropriate for your network. You must analyze the behavior of your network to properly set initial threshold values.
- Alarm Rate (connections/s)—Specify the threshold rate (cps) above which a DoS alarm is generated. (Range is 0-2,000,000; default is 10,000.)
- Activate Rate (connections/s)—Specify the threshold rate (cps) above which a DoS response is activated. When theActivate Ratethreshold is reached,Random Early Dropoccurs. Range is 0-2,000,000; default is 10,000. (For SYN Flood, you can select the action that occurs.)
- Max Rate (connections/s)—Specify the threshold rate of incoming connections per second that the firewall allows. When the threshold is exceeded, new connections that arrive are dropped. (Range is 2-2,000,000; default is 40,000.)
- On each of the flood tabs, specify theBlock Duration(in seconds), which is the length of time the firewall blocks packets that match the DoS Protection policy rule that references this profile. Specify a value greater than zero. (Range is 1-21,600; default is 300.)Set a lowBlock Durationvalue if you are concerned that packets you incorrectly identify as attack traffic will be blocked unnecessarily.Set a highBlock Durationvalue if you are more concerned about blocking volumetric attacks than you are about incorrectly blocking packets that aren’t part of an attack.
- Configure a DoS Protection policy rule that specifies the criteria for matching the incoming traffic.The firewall resources are finite, so you wouldn’t want to classify using source address on an internet-facing zone because there can be an enormous number of unique IP addresses that match the DoS Protection policy rule. That would require many counters and the firewall would run out of tracking resources. Instead, define a DoS Protection policy rule that classifies using the destination address (of the server you are protecting).
- SelectandPoliciesDoS ProtectionAddaNameon theGeneraltab. The name is case-sensitive and can be a maximum of 31 characters, including letters, numbers, spaces, hyphens, and underscores.
- On theSourcetab, choose theTypeto be aZoneorInterface, and thenAddthe zone(s) or interface(s). Choose zone or interface depending on your deployment and what you want to protect. For example, if you have only one interface coming into the firewall, choose Interface.
- (Optional) ForSource Address, selectAnyfor any incoming IP address to match the rule orAddan address object such as a geographical region.
- (Optional) ForSource User, selectanyor specify a user.
- (Optional) SelectNegateto match any sources except those you specify.
- (Optional) On theDestinationtab, choose theTypeto be aZoneorInterface, and thenAddthe destination zone(s) or interface(s). For example, enter the security zone you want to protect.
- (Optional) ForDestination Address, selectAnyor enter the IP address of the device you want to protect.
- (Optional) On theOption/Protectiontab,AddaService. Select a service or clickServiceand enter aName. SelectTCPorUDP. Enter aDestination Port. Not specifying a particular service allows the rule to match a flood of any protocol type without regard to an application-specific port.
- On theOption/Protectiontab, forAction, selectProtect.
- ForProfile, select the name of theDoS Protectionprofile you created.
- ForAddress, selectsource-ip-onlyorsrc-dest-ip-both, which determines the type of IP address to which the rule applies. Choose the setting based on how you want the firewall to identify offending traffic:
- Specifysource-ip-onlyif you want the firewall to classify only on the source IP address. Because attackers often test the entire network for hosts to attack,source-ip-onlyis the typical setting for a wider examination.
- Specifysrc-dest-ip-bothif you want to protect against DoS attacks only on the server that has a specific destination address, and you also want to ensure that every source IP address won’t surpass a specific cps threshold to that server.
Objects > Security Profiles > DoS Protection
Objects > Security Profiles > DoS Protection DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile ...
Protect your data center web servers and the firewall from DoS attacks to prevent attackers from taking down your data center network. ...
DoS Protection Against Flooding of New Sessions
DoS Protection Against Flooding of New Sessions DoS protection against flooding of new sessions is beneficial against high-volume single-session and multiple-session attacks. In a single-session ...
DoS Protection Option/Protection Tab
DoS Protection Option/Protection Tab Select the Option/Protection tab to configure options for the DoS Protection policy rule, such as the type of service (http or ...
Flood Protection A zone protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP floods. The ...
DoS Protection Profiles
DoS Protection Profiles When you create DoS protection policy rules, you apply DoS protection profiles to the policy rules if the rules have an action ...
Flood Protection Network > Network Profiles > Zone Protection > Flood Protection Configure a profile that provides flood protection against SYN, ICMP, ICMPv6, and UDP ...
Building Blocks of Zone Protection Profiles
Building Blocks of Zone Protection Profiles To create a Zone Protection profile, Add a profile and name it. Zone Protection Profile Settings Configured In Description ...
Actions in Security Profiles
Actions in Security Profiles The action specifies how the firewall responds to a threat event. Every threat or virus signature that is defined by Palo ...