Flood Protection

A zone protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP floods. The firewall measures the aggregate amount of each flood type ingressing the zone in connections-per-second and compares the total to the thresholds configured in the zone protection profile.
For each flood type, you set three thresholds:
  • Alarm Rate—The number of connections-per-second to trigger an alarm.
  • Activate—The number of connections-per-second to activate the flood protection mechanism. For ICMP, ICMPv6, UDP, and other IP floods, the protection mechanism is Random Early Drop (RED, also known as Random Early Detection), and packets begin to drop when the number of connections-per-second reaches the Activate threshold. For SYN floods, the protection mechanism can be RED or SYN cookies. SYN cookies does not drop packets. As the number of connections-per-second increases above the Activate threshold, the firewall drops more packets when RED is the protection mechanism.
  • Maximum—The number of connections-per-second to drop incoming packets when RED is the protection mechanism.
If the number of connections-per-second exceeds a threshold, the firewall generates an alarm, activates the drop mechanism, or drops all packets when RED is the protection mechanism.
For SYN packets only, you can select SYN Cookies instead of dropping the packets with RED. When you use SYN Cookies, the firewall acts as a proxy for the target server and responds to the SYN request by generating a SYN-ACK packet and corresponding cookie on behalf of the target. When the firewall receives an ACK packet from the initiator with the correct cookie, the firewall forwards the SYN packet to the target server.
The advantage to using SYN cookies instead of RED is that the firewall drops the offending packets and treats legitimate connections fairly. Because RED randomly drops connections, RED impacts some legitimate traffic. However, using SYN cookies instead of RED uses more firewall resources because the firewall handles the three-way SYN handshake for the target. The tradeoff is using more firewall resources versus not dropping legitimate traffic with RED and offloading the SYN handshake from the target.
Adjust the default threshold values in a zone protection profile to the levels appropriate for your network. The default values are high so that activating a zone protection profile does not unexpectedly drop legitimate traffic.
Adjust the thresholds for your environment by taking a baseline measurement of the peak traffic load for each flood type to determine the normal traffic load for the zone. Set Alarm Rate thresholds at 15-20 percent above the baseline number of connections-per-second and monitor the alarms to see if the threshold is reasonable for the legitimate traffic load. Because the normal traffic load experiences some fluctuation, it is best not to drop packets too aggressively.
While determining a baseline and testing the Alarm Rate threshold, set the Activate and Maximum thresholds to a high number to avoid dropping legitimate packets if the thresholds are too aggressive. After you determine a reasonable Alarm Rate threshold, set Activate and Maximum thresholds to drop packets when traffic increases enough beyond normal to indicate a flood attack. Continue to monitor traffic and adjust the thresholds to meet your security objectives and to ensure that the thresholds don’t drop legitimate traffic but do prevent unwanted spikes in traffic volume.
A major difference between flood protection using a zone protection profile and a DoS protection profile is where the firewall applies flood protection. Zone protection profiles apply to an entire zone, while DoS protection profiles apply only to the IP addresses, zones, and users specified in the DoS protection policy rule associated with the profile.

Related Documentation