A zone protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP floods. The firewall measures the aggregate amount of each flood type ingressing the zone in connections-per-second and compares the total to the thresholds configured in the zone protection profile.
For each flood type, you set three thresholds:
- Alarm Rate—The number of connections-per-second to trigger an alarm.
- Activate—The number of connections-per-second to activate the flood protection mechanism. For ICMP, ICMPv6, UDP, and other IP floods, the protection mechanism is Random Early Drop (RED, also known as Random Early Detection), and packets begin to drop when the number of connections-per-second reaches the Activate threshold. For SYN floods, the protection mechanism can be RED or SYN cookies. SYN cookies does not drop packets. As the number of connections-per-second increases above the Activate threshold, the firewall drops more packets when RED is the protection mechanism.
- Maximum—The number of connections-per-second to drop incoming packets when RED is the protection mechanism.
If the number of connections-per-second exceeds a threshold, the firewall generates an alarm, activates the drop mechanism, or drops all packets when RED is the protection mechanism.
For SYN packets only, you can select SYN Cookies instead of dropping the packets with RED. When you use SYN Cookies, the firewall acts as a proxy for the target server and responds to the SYN request by generating a SYN-ACK packet and corresponding cookie on behalf of the target. When the firewall receives an ACK packet from the initiator with the correct cookie, the firewall forwards the SYN packet to the target server.
The advantage to using SYN cookies instead of RED is that the firewall drops the offending packets and treats legitimate connections fairly. Because RED randomly drops connections, RED impacts some legitimate traffic. However, using SYN cookies instead of RED uses more firewall resources because the firewall handles the three-way SYN handshake for the target. The tradeoff is using more firewall resources versus not dropping legitimate traffic with RED and offloading the SYN handshake from the target.
Adjust the default threshold values in a zone protection profile to the levels appropriate for your network. The default values are high so that activating a zone protection profile does not unexpectedly drop legitimate traffic.
Adjust the thresholds for your environment by taking a baseline measurement of the peak traffic load for each flood type to determine the normal traffic load for the zone. Set Alarm Rate thresholds at 15-20 percent above the baseline number of connections-per-second and monitor the alarms to see if the threshold is reasonable for the legitimate traffic load. Because the normal traffic load experiences some fluctuation, it is best not to drop packets too aggressively.
While determining a baseline and testing the Alarm Rate threshold, set the Activate and Maximum thresholds to a high number to avoid dropping legitimate packets if the thresholds are too aggressive. After you determine a reasonable Alarm Rate threshold, set Activate and Maximum thresholds to drop packets when traffic increases enough beyond normal to indicate a flood attack. Continue to monitor traffic and adjust the thresholds to meet your security objectives and to ensure that the thresholds don’t drop legitimate traffic but do prevent unwanted spikes in traffic volume.
A major difference between flood protection using a zone protection profile and a DoS protection profile is where the firewall applies flood protection. Zone protection profiles apply to an entire zone, while DoS protection profiles apply only to the IP addresses, zones, and users specified in the DoS protection policy rule associated with the profile.
DoS Protection Profiles
DoS Protection Profiles When you create DoS protection policy rules, you apply DoS protection profiles to the policy rules if the rules have an action ...
Objects > Security Profiles > DoS Protection
Objects > Security Profiles > DoS Protection DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile ...
Flood Protection Network > Network Profiles > Zone Protection > Flood Protection Configure a profile that provides flood protection against SYN, ICMP, ICMPv6, and UDP ...
Protect your data center web servers and the firewall from DoS attacks to prevent attackers from taking down your data center network. ...
Configure DoS Protection Against Flooding of New Sessions
Configure DoS Protection Against Flooding of New Sessions Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based ...
Actions in Security Profiles
Actions in Security Profiles The action specifies how the firewall responds to a threat event. Every threat or virus signature that is defined by Palo ...
Zone Protection for SYN Data Payloads
Zone Protection for SYN Data Payloads You can now use a Zone Protection profile for Packet Based Attack Protection to drop TCP SYN and SYN-ACK ...
DoS Protection Against Flooding of New Sessions
DoS Protection Against Flooding of New Sessions DoS protection against flooding of new sessions is beneficial against high-volume single-session and multiple-session attacks. In a single-session ...
Building Blocks of Zone Protection Profiles
Building Blocks of Zone Protection Profiles To create a Zone Protection profile, Add a profile and name it. Zone Protection Profile Settings Configured In Description ...