Configure DoS Protection Against Flooding of New Sessions
- Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based on your network needs. You can specify any of the match criteria in a Security policy rule, such as source IP address. (Required for single-session attack mitigation or attacks that have not triggered the DoS Protection policy threshold; optional for multiple-session attack mitigation).
- Configure a DoS Protection profile for flood protection.Because flood attacks can occur over multiple protocols, as a best practice, activate protection for all of the flood types in the DoS Protection profile.
- Select ObjectsSecurity ProfilesDoS Protection and Add a profile Name.
- Select Classified as the Type.
- For Flood Protection, select
all types of flood protection:
- SYN Flood
- UDP Flood
- ICMP Flood
- ICMPv6 Flood
- Other IP Flood
- When you enable SYN Flood,
select the Action that occurs when connections
per second (cps) exceed the Activate Rate threshold:
- Random Early Drop—The firewall uses an algorithm to progressively start dropping that type of packet. If the attack continues, the higher the incoming cps rate (above the Activate Rate) gets, the more packets the firewall drops. The firewall drops packets until the incoming cps rate reaches the Max Rate, at which point the firewall drops all incoming connections. Random Early Drop (RED) is the default action for SYN Flood, and the only action for UDP Flood, ICMP Flood, ICMPv6 Flood, and Other IP Flood. RED is more efficient than SYN Cookies and can handles larger attacks, but doesn’t discern between good and bad traffic.
- SYN Cookies—Rather than immediately sending the SYN to the server, the firewall generates a cookie (on behalf of the server) to send in the SYN-ACK to the client. The client responds with its ACK and the cookie; upon this validation the firewall then sends the SYN to the server. The SYN Cookies action requires more firewall resources than Random Early Drop; it’s more discerning because it affects bad traffic.
- (Optional) On each of the flood tabs, change
the following thresholds to suit your environment:
The default threshold values in this step are only starting points and might not be appropriate for your network. You must analyze the behavior of your network to properly set initial threshold values.
- Alarm Rate (connections/s)—Specify the threshold rate (cps) above which a DoS alarm is generated. (Range is 0-2,000,000; default is 10,000.)
- Activate Rate (connections/s)—Specify the threshold rate (cps) above which a DoS response is activated. When the Activate Rate threshold is reached, Random Early Drop occurs. Range is 0-2,000,000; default is 10,000. (For SYN Flood, you can select the action that occurs.)
- Max Rate (connections/s)—Specify the threshold rate of incoming connections per second that the firewall allows. When the threshold is exceeded, new connections that arrive are dropped. (Range is 2-2,000,000; default is 40,000.)
- On each of the flood tabs, specify the Block
Duration (in seconds), which is the length of time the
firewall blocks packets that match the DoS Protection policy rule that
references this profile. Specify a value greater than zero. (Range
is 1-21,600; default is 300.)Set a low Block Duration value if you are concerned that packets you incorrectly identify as attack traffic will be blocked unnecessarily.Set a high Block Duration value if you are more concerned about blocking volumetric attacks than you are about incorrectly blocking packets that aren’t part of an attack.
- Click OK.
- Configure a DoS Protection policy rule that specifies
the criteria for matching the incoming traffic.The firewall resources are finite, so you wouldn’t want to classify using source address on an internet-facing zone because there can be an enormous number of unique IP addresses that match the DoS Protection policy rule. That would require many counters and the firewall would run out of tracking resources. Instead, define a DoS Protection policy rule that classifies using the destination address (of the server you are protecting).
- Select PoliciesDoS Protection and Add a Name on the General tab. The name is case-sensitive and can be a maximum of 31 characters, including letters, numbers, spaces, hyphens, and underscores.
- On the Source tab, choose the Type to be a Zone or Interface, and then Add the zone(s) or interface(s). Choose zone or interface depending on your deployment and what you want to protect. For example, if you have only one interface coming into the firewall, choose Interface.
- (Optional) For Source Address, select Any for any incoming IP address to match the rule or Add an address object such as a geographical region.
- (Optional) For Source User, select any or specify a user.
- (Optional) Select Negate to match any sources except those you specify.
- (Optional) On the Destination tab, choose the Type to be a Zone or Interface, and then Add the destination zone(s) or interface(s). For example, enter the security zone you want to protect.
- (Optional) For Destination Address, select Any or enter the IP address of the device you want to protect.
- (Optional) On the Option/Protection tab, Add a Service. Select a service or click Service and enter a Name. Select TCP or UDP. Enter a Destination Port. Not specifying a particular service allows the rule to match a flood of any protocol type without regard to an application-specific port.
- On the Option/Protection tab, for Action, select Protect.
- Select Classified.
- For Profile, select the name of the DoS Protection profile you created.
- For Address, select source-ip-only or src-dest-ip-both,
which determines the type of IP address to which the rule applies.
Choose the setting based on how you want the firewall to identify
- Specify source-ip-only if you want the firewall to classify only on the source IP address. Because attackers often test the entire network for hosts to attack, source-ip-only is the typical setting for a wider examination.
- Specify src-dest-ip-both if you want to protect against DoS attacks only on the server that has a specific destination address, and you also want to ensure that every source IP address won’t surpass a specific cps threshold to that server.
- Click OK.
- Commit.Click Commit.
Objects > Security Profiles > DoS Protection
Objects > Security Profiles > DoS Protection DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile ...
Deploy DoS and Zone Protection Using Best Practices
DoS and Zone Protection deployment best practices help to ensure a smooth rollout that protects your network and your most critical servers. ...
DoS Protection Profiles
Protect groups of devices and critical individual devices from flood attacks, and limit the maximum concurrent sessions for resources. ...
Protect your data center web servers and the firewall from DoS attacks to prevent attackers from taking down your data center network. ...
DoS Protection Against Flooding of New Sessions
DoS Protection Against Flooding of New Sessions DoS protection against flooding of new sessions is beneficial against high-volume single-session and multiple-session attacks. In a single-session ...
DoS Protection Option/Protection Tab
DoS Protection Option/Protection Tab Select the Option/Protection tab to configure options for the DoS Protection policy rule, such as the type of service to which ...
Classified Versus Aggregate DoS Protection
Protect groups of devices with aggregate DoS protection and protect critical individual devices with classified DoS protection. ...
Flood Protection Network > Network Profiles > Zone Protection > Flood Protection Configure a profile that provides flood protection against SYN, ICMP, ICMPv6, SCTP INIT, ...
Building Blocks of Zone Protection Profiles
Building Blocks of Zone Protection Profiles To create a Zone Protection profile, Add a profile and name it. Zone Protection Profile Settings Configured In Description ...