Configure DoS Protection Against Flooding of New Sessions
Before you configure a DoS Protection policy
rule, make sure you understand that the set of IPv4 addresses is
treated as a subset of the set of IPv6 addresses, as described in
detail in Policy.
Configure Security policy rules to deny traffic
from the attacker’s IP address and allow other traffic based on
your network needs. You can specify any of the match criteria in
a Security policy rule, such as source IP address. (Required
for single-session attack mitigation or attacks that have not triggered
the DoS Protection policy threshold; optional for multiple-session attack
mitigation).
Configure a DoS Protection profile for flood protection.
Because flood attacks can occur
over multiple protocols, as a best practice, activate protection
for all of the flood types in the DoS Protection profile.
Select ObjectsSecurity ProfilesDoS Protection and Add a
profile Name.
Select Classified as the Type.
For Flood Protection, select
all types of flood protection:
SYN Flood
UDP Flood
ICMP Flood
ICMPv6 Flood
Other IP Flood
When you enable SYN Flood,
select the Action that occurs when connections
per second (cps) exceed the Activate Rate threshold:
Random Early Drop—The firewall
uses an algorithm to progressively start dropping that type of packet. If
the attack continues, the higher the incoming cps rate (above the Activate
Rate) gets, the more packets the firewall drops. The
firewall drops packets until the incoming cps rate reaches the Max
Rate, at which point the firewall drops all incoming
connections. Random Early Drop (RED) is the
default action for SYN Flood, and the only
action for UDP Flood, ICMP Flood, ICMPv6
Flood, and Other IP Flood. RED
is more efficient than SYN Cookies and can handles larger attacks,
but doesn’t discern between good and bad traffic.
SYN Cookies—Rather than immediately sending
the SYN to the server, the firewall generates a cookie (on behalf
of the server) to send in the SYN-ACK to the client. The client
responds with its ACK and the cookie; upon this validation the firewall
then sends the SYN to the server. The SYN Cookies action
requires more firewall resources than Random Early Drop;
it’s more discerning because it affects bad traffic.
(Optional) On each of the flood tabs, change
the following thresholds to suit your environment:
Alarm Rate (connections/s)—Specify
the threshold rate (cps) above which a DoS alarm is generated. (Range
is 0-2,000,000; default is 10,000.)
Activate Rate (connections/s)—Specify the
threshold rate (cps) above which a DoS response is activated. When
the Activate Rate threshold is reached, Random
Early Drop occurs. Range is 0-2,000,000; default is
10,000. (For SYN Flood, you can select the action that occurs.)
Max Rate (connections/s)—Specify the threshold
rate of incoming connections per second that the firewall allows. When
the threshold is exceeded, new connections that arrive are dropped. (Range
is 2-2,000,000; default is 40,000.)
The
default threshold values in this step are only starting points and
might not be appropriate for your network. You must analyze the behavior
of your network to properly set initial threshold values.
On each of the flood tabs, specify the Block
Duration (in seconds), which is the length of time the
firewall blocks packets that match the DoS Protection policy rule
that references this profile. Specify a value greater than zero.
(Range is 1-21,600; default is 300.)
Set a low Block Duration value
if you are concerned that packets you incorrectly identify as attack
traffic will be blocked unnecessarily.
Set a high Block
Duration value if you are more concerned about blocking
volumetric attacks than you are about incorrectly blocking packets
that aren’t part of an attack.
Click OK.
Configure a DoS Protection policy rule that specifies
the criteria for matching the incoming traffic.
The firewall resources are finite, so
you wouldn’t want to classify using source address on an internet-facing
zone because there can be an enormous number of unique IP addresses
that match the DoS Protection policy rule. That would require many
counters and the firewall would run out of tracking resources. Instead,
define a DoS Protection policy rule that classifies using the destination
address (of the server you are protecting).
Select PoliciesDoS Protection and Add a Name on
the General tab. The name is case-sensitive
and can be a maximum of 31 characters, including letters, numbers,
spaces, hyphens, and underscores.
On the Source tab, choose the Type to
be a Zone or Interface,
and then Add the zone(s) or interface(s).
Choose zone or interface depending on your deployment and what you
want to protect. For example, if you have only one interface coming into
the firewall, choose Interface.
(Optional) For Source Address,
select Any for any incoming IP address to
match the rule or Add an address object such as
a geographical region.
(Optional) For Source User, select any or
specify a user.
(Optional) Select Negate to match
any sources except those you specify.
(Optional) On the Destination tab,
choose the Type to be a Zone or Interface,
and then Add the destination zone(s) or interface(s).
For example, enter the security zone you want to protect.
(Optional) For Destination Address,
select Any or enter the IP address of the
device you want to protect.
(Optional) On the Option/Protection tab, Add a Service. Select
a service or click Service and enter a Name.
Select TCP or UDP.
Enter a Destination Port. Not specifying
a particular service allows the rule to match a flood of any protocol type
without regard to an application-specific port.
On the Option/Protection tab,
for Action, select Protect.
Select Classified.
For Profile, select the name
of the DoS Protection profile you created.
For Address, select source-ip-only or src-dest-ip-both,
which determines the type of IP address to which the rule applies.
Choose the setting based on how you want the firewall to identify
offending traffic:
Specify source-ip-only if you
want the firewall to classify only on the source IP address. Because attackers
often test the entire network for hosts to attack, source-ip-only is
the typical setting for a wider examination.
Specify src-dest-ip-both if you want
to protect against DoS attacks only on the server that has a specific
destination address, and you also want to ensure that every source
IP address won’t surpass a specific cps threshold to that server.