DoS protection against flooding of new sessions is beneficial
against high-volume single-session and multiple-session attacks.
In a single-session attack, an attacker uses a single session to
target a device behind the firewall. If a Security rule allows the
traffic, the session is established and the attacker initiates an
attack by sending packets at a very high rate with the same source
IP address and port number, destination IP address and port number,
and protocol, trying to overwhelm the target. In a multiple-session
attack, an attacker uses multiple sessions (or connections per second
[cps]) from a single host to launch a DoS attack.
This feature defends against DoS attacks of new sessions
only, that is, traffic that has not been offloaded to hardware.
An offloaded attack is not protected by this feature. However, this
topic describes how you can create a Security policy rule to reset
the client; the attacker reinitiates the attack with numerous connections
per second and is blocked by the defenses illustrated in this topic.
DoS Protection Profiles and Policy Rules work
together to provide protection against flooding of many incoming
SYN, UDP, ICMP, and ICMPv6 packets, and other types of IP packets.
You determine what thresholds constitute flooding. In general, the
DoS Protection profile sets the thresholds at which the firewall
generates a DoS alarm, takes action such as Random Early Drop, and
drops additional incoming connections. A DoS Protection policy rule
that is set to protect (rather than to allow or deny packets) determines
the criteria for packets to match (such as source address) in order
to be counted toward the thresholds. This flexibility allows you
to blacklist certain traffic, or whitelist certain traffic and treat
other traffic as DoS traffic. When the incoming rate exceeds your maximum
threshold, the firewall blocks incoming traffic from the source