DoS Protection Profiles

When you create DoS protection policy rules, you apply DoS protection profiles to the policy rules if the rules have an action of Protect (if the action is Deny or Allow, no DoS protection profile is used).
Configuring flood protection thresholds in a DoS protection profile is similar to configuring Flood Protection in a zone protection profile. The difference is where you apply flood protection. Applying flood protection with a zone protection profile protects the ingress zone, while applying flood protection with a DoS protection profile and policy rule is more granular and targeted, and can even be classified to a single IP address.
For both aggregate and classified DoS protection profiles, as with zone protection profiles, you can:
  • Configure SYN, UDP, ICMP, ICMPv6, and other IP flood protection.
  • Set alarm, activate, and maximum connections-per-second thresholds. When incoming connections-per-second reach the activate threshold, the firewall begins to drop packets. When the incoming connections-per-second reach the maximum threshold, the firewall drops additional incoming connections.
  • Use SYN cookies instead of RED for SYN flood packets.
The advice in zone protection profile Flood Protection about adjusting the default flood threshold values for your network’s traffic is valid for setting DoS protection profile flood protection thresholds. Take a baseline measurement of peak traffic loads over a period of time and adjust the flood thresholds to allow the expected legitimate traffic load and to throttle or drop traffic when the load indicates a flood attack. Monitor the traffic and continue to adjust the thresholds until they meet your protection objectives.
Configuring resource protection thresholds in a DoS protection profile sets the maximum number of concurrent sessions that a resource supports. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. You define the resource you are protecting in a DoS protection policy rule by the resource’s source IP address, destination IP address, or the source and destination IP address pair.
An aggregate DoS protection profile applies to all of the traffic that matches the associated DoS protection policy rule, for all sources, destinations, and services allowed for that rule. A classified DoS protection profile can enforce different session rate limits for different groups of end hosts or even for one particular end host.
Here are some examples of what you can do with a classified DoS protection profile:
  • To prevent hosts on your network from starting a DoS attack, you can monitor the rate of traffic each host in a source address group initiates. To do this, set an appropriate alarm threshold in a DoS protection profile to notify you if a host initiates an unusually large amount of traffic, and create a DoS protection policy rule that applies the profile to the source address group. Investigate any hosts that initiate enough traffic to set off the alarm.
  • To protect critical web or DNS servers on your network, protect the individual servers. To do this, set appropriate flooding and resource protection thresholds in a DoS protection profile, and create a DoS protection policy rule that applies the profile to each server’s IP address by adding the IP addresses as the rule’s destination criteria.
  • Track the flow between a pair of endpoints by setting appropriate thresholds in the DoS protection profile and creating a DoS protection policy rule that specifies the source and destination IP addresses of the endpoints as the matching criteria.
    Do not use source IP classification for internet-facing zones in classified DoS protection policy rules. The firewall does not have the capacity to store counters for every possible IP address on the internet.

Related Documentation