Flood Protection

  • Network > Network Profiles > Zone Protection > Flood Protection
Configure a profile that provides flood protection against SYN, ICMP, ICMPv6, and UDP packets, as well as protection against flooding from other types of IP packets.
Zone Protection Profile Settings—Flood Protection
Configured In
Description
SYN
Network
Network Profiles
Zone Protection
Flood Protection
Select to enable protection against SYN floods.
Action
Select the action to take in response to a SYN flood attack.
  • Random Early Drop
    —Causes SYN packets to be dropped to mitigate a flood attack:
    • When the flow exceeds the
      Alert
      rate threshold, an alarm is generated.
    • When the flow exceeds the
      Activate
      rate threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    • When the flow exceeds the
      Maximum
      rate threshold, 100% of incoming SYN packets are dropped.
  • SYN Cookies
    —Causes the firewall to act like a proxy, intercept the SYN, generate a cookie on behalf of the server to which the SYN was directed, and send a SYN-ACK with the cookie to the original source. Only when the source returns an ACK with the cookie to the firewall does the firewall consider the source valid and forward the SYN to the server. This is the preferred Action.
Alarm Rate (connections/sec)
Enter the number of SYN packets (not matching an existing session) the zone receives per second that triggers an alarm. You can view alarms on the Dashboard and in the threat log (Monitor > Packet Capture).
Activate (connections/sec)
Enter the number of SYN packets (not matching an existing session) that the zone receives per second that triggers the Action specified in this Zone Protection profile. The firewall uses an algorithm to progressively drop more packets as the attack rate increases, until the rate reaches the Maximum rate. The firewall stops dropping the SYN packets if the incoming rate drops below the Activate threshold.
Maximum (connections/sec)
Enter the maximum number of SYN packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
ICMP
Network
Network Profiles
Zone Protection
Flood Protection (cont)
Select to enable protection against ICMP floods.
Alarm Rate (connections/sec)
Enter the number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
Activate (connections/sec)
Enter the number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped. The firewall uses an algorithm to progressively drop more packets as the attack rate increases, until the rate reaches the Maximum rate. The firewall stops dropping the ICMP packets if the incoming rate drops below the Activate threshold.
Maximum (connections/sec)
Enter the maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
ICMPv6
Select to enable protection against ICMPv6 floods.
Alarm Rate (connections/sec)
Enter the number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
Activate (connections/sec)
Enter the number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped. The firewall uses an algorithm to progressively drop more packets as the attack rate increases, until the rate reaches the Maximum rate. The firewall stops dropping the ICMPv6 packets if the incoming rate drops below the Activate threshold.
Maximum (connections/sec)
Enter the maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
UDP
Select to enable protection against UDP floods.
Alarm Rate (connections/sec)
Enter the number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
Activate (connections/sec)
Enter the number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets. The firewall uses an algorithm to progressively drop more packets as the attack rate increases, until the rate reaches the Maximum rate. The firewall stops dropping the UDP packets if the incoming rate drops below the Activate threshold.
Maximum (connections/sec)
Enter the maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.
Other IP
Select to enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, and non-UDP) floods.
Alarm Rate (connections/sec)
Enter the number of other IP packets (non-TCP, non-ICMP, non-ICMPv6, and non-UDP packets) (not matching an existing session) the zone receives per second that triggers an attack alarm.
Activate (connections/sec)
Enter the number of other IP packets (non-TCP, non-ICMP, non-ICMPv6, and non-UDP packets) (not matching an existing session) the zone receives per second that triggers random dropping of other IP packets. The firewall uses an algorithm to progressively drop more packets as the attack rate increases, until the rate reaches the Maximum rate. The firewall stops dropping the Other IP packets if the incoming rate drops below the Activate threshold.
Maximum (connections/sec)
Enter the maximum number of other IP packets (non-TCP, non-ICMP, non-ICMPv6, and non-UDP packets) (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.

Related Documentation