Classified Versus Aggregate DoS Protection

Protect groups of devices with aggregate DoS protection and protect critical individual devices with classified DoS protection.
You can configure
aggregate
and
classified
DoS Protection Profiles, and apply one profile or one of each type of profile to DoS Protection Policy Rules when you configure DoS Protection.
  • Aggregate
    —Sets thresholds that apply to the entire group of devices specified in a DoS Protection policy rule instead of to each individual device, so one device could receive the majority of the allowed connection traffic. For example, a
    Max Rate
    of 20,000 CPS means the total CPS for the group is 20,000, and an individual device can receive up to 20,000 CPS if other devices don’t have connections. Aggregate DoS Protection policies provide another layer of broad protection (after your dedicated DDoS device at the internet perimeter and Zone Protection profiles) for a particular group of critical devices when you want to apply extra constraints on specific subnets, users, or services.
  • Classified
    —Sets flood thresholds that apply to each individual device specified in a DoS Protection policy rule. For example, if you set an
    Max Rate
    of 5,000 CPS, each device specified in the rule can accept up to 5,000 CPS before it drops new connections. If you apply a classified DoS Protection policy rule to more than one device, the devices governed by the rule should be similar in terms of capacity and how you want to control their CPS rates because classified thresholds apply to each individual device. Classified profiles protect individual critical resources.
    When you configure a DoS Protection policy rule with a classified DoS Protection profile (
    Option/Protection
    Classified
    Address
    ), use the
    Address
    field to specify whether incoming connections count toward the profile thresholds based on matching the
    source-ip-only
    ,
    destination-ip-only
    , or
    scr-dest-ip-both
    (the firewall counts both the source and the destination IP addresses matches toward the thresholds). Counters consume resources, so the way you count address matches affects firewall resource consumption. You can use classified DoS protection to:
    • Protect critical individual devices, especially servers that users access from the internet and are often attack targets, such as web servers, database servers, and DNS servers. Set appropriate flood and resource protection thresholds in a classified DoS Protection profile. Create a DoS Protection policy rule that applies the profile to each server’s IP address by adding the IP addresses as the rule’s destination criteria, and set the
      Address
      to
      destination-ip-only
      .
      Do not use
      source-IP-only
      or
      src-dest-ip-both
      classification for internet-facing zones in classified DoS Protection policy rules because the firewall doesn’t have the capacity to store counters for every possible IP address on the internet. Increment the threshold counter for source IPs only for internal zone or same-zone rules. In perimeter zones, use
      destination-ip-only
      .
    • Monitor the CPS rate for a suspect host or group of hosts (the zone that contains the hosts cannot be internet-facing). Set an appropriate alarm threshold in a classified DoS Protection profile to notify you if a host initiates an unusually large number of connections. Create a DoS Protection policy rule that applies the profile to the individual source or source address group and set the
      Address
      to
      source-ip-only
      . Investigate hosts that initiate enough new connections to set off the alarm.
How you configure the
Address
(
source-ip-only
,
destination-ip-only
, or
src-dest-ip-both
) for classified profiles depends on your DoS protection goals, what you are protecting, and whether the protected device(s) are in internet-facing zones.
The firewall uses more resources to track
src-dest-ip-both
as the
Address
than to track
source-IP-only
or
destination-ip-only
because the counters consume resources for both the source and destination IP addresses instead of just one of the two.
If you apply both an aggregate and a classified DoS Protection profile to the same DoS Protection policy rule, the firewall applies the aggregate profile first and then applies the classified profile if needed. For example, we protect a group of five web servers with both types of profiles in a DoS Protection policy rule. The aggregate profile configuration drops new connections when the combined total for the group reaches a
Max Rate
of 25,000 CPS. The classified profile configuration drops new connections to any individual web server in the group when it reaches a
Max Rate
of 6,000 CPS. There are three scenarios where new connection traffic crosses
Max Rate
thresholds:
  • The new CPS rate exceeds the aggregate
    Max Rate
    but doesn’t exceed the classified
    Max Rate
    . In this scenario, the firewall applies the aggregate profile and blocks all new connections for the configured Block Duration.
  • The new CPS rate doesn’t exceed the aggregate
    Max Rate
    , but the CPS to one of the web servers exceeds the classified
    Max Rate
    . In this scenario, the firewall checks the aggregate profile and finds that the rate for the group is less than 25,000 CPS, so the firewall doesn’t block new connections based on that. Next, the firewall checks the classified profile and finds that the rate for a particular server exceeds 6,000 CPS. The firewall applies the classified profile and blocks new connections to that particular server for the configured Block Duration. Because the other servers in the group are within the classified profile’s
    Max Rate
    , their traffic is not affected.
  • The new CPS rate exceeds the aggregate
    Max Rate
    and also exceeds the classified
    Max Rate
    for one of the web servers. In this scenario, the firewall checks the aggregate profile and finds that the rate for the group exceeds 25,000 CPS, so the firewall blocks new connections to limit the group’s total CPS. The firewall then checks the classified profile and finds that the rate for a particular server exceeds 6,000 CPS (so the aggregate profile enforced the group’s combined limit, but that wasn’t enough to protect this particular server). The firewall applies the classified profile and blocks new connections to that particular server for the configured Block Duration. Because the other servers in the group are within the classified profile’s
    Max Rate
    , their traffic is not affected.
If you want both an aggregate and a classified DoS Protection profile to apply to the same traffic, you must apply both profiles to the same DoS Protection policy rule. If you apply the aggregate profile to one rule and the classified profile to a different rule, even if they specify exactly the same traffic, the firewall can apply only one profile because when the traffic matches the first DoS Protection policy rule, the firewall executes the
Action
specified in that rule and doesn’t compare to the traffic to any subsequent rules, so the traffic never matches the second rule and the firewall can’t apply its action. (This is the same way that Security policy rules work.)

Related Documentation