Device Configuration : Protect : Intrusion Prevention : DoS
DoS
Device Configuration > Protect > Intrusion Prevention > DoS
The device provides several security options that cannot be defined by the Security Policies. This includes protection from several kinds of “Denial of Service attacks”. These attacks disable computers and circumvent security.
Denial of Service (DoS) attack is a method that hackers use to prevent or deny legitimate users access to a service.
DoS attacks are typically executed by sending many rkequest packets to a targeted server (usually Web, FTP, or Mail server), which floods the server's resources, making the system unusable. Their goal is not to steal the information but disable or deprive a device or network so that users no longer have access to the network services/resources.
All servers can handle traffic volume up to a maximum, beyond which they become disabled. Hence, attackers send a very high volume of redundant traffic to a system so it cannot examine and allow permitted network traffic. Best way to protect against the DoS attack is to identify and block such redundant traffic. Below are some DoS settings which can be used for identifying DoS attack:
Packet rate per Source
Total number of connections or packets allowed to a particular user.
Burst rate per Source
Maximum number of packets allowed to a particular user at a given time.
Packet rate per Destination
Total number of connections or packets allowed from a particular user.
Burst rate per Destination
Maximum of packets allowed from a particular user at a given time.
How it works
When the burst rate is crossed, device considers it as an attack. Device provides DoS attack protection by dropping all the excess packets from the particular source/destination. Device will continue to drop the packets till the attack subsides. Because device applies threshold value per IP Address, traffic from the particular source/destination will only be dropped while the rest of the network traffic will not be dropped at all.
Time taken to re-allow traffic from the blocked source/destination = time taken to subside the attack + 30 seconds
For example:
Packet rate per Source – 100 packets per second
Burst rate per Source – 200 packets per second
When user starts sending requests, initially user will be able to send 200 packets per second but once the 200 packets are received, in the next phase user will be able to send only 100 packets per second. So in the next phase, if user sends 150 packets per second, device will consider it as an attack and drop 50 (150 -100) packets. Device will accept traffic from the user only after 30 seconds of dropping the packets.
Threshold values
Device uses packet rate and burst rate values as a threshold value to detect DoS attack. These values depend on various factors like:
Network bandwidth
Nature of traffic
Capacity of servers in the network
These values are applicable to the individual source or destination requests per user/IP Address and not globally to the entire network traffic. For example, if source rate is 2500 packets/minute and the network consists of 100 users then each user is allowed packet rate of 2500 packets per minute
Configuring high values will degrade the performance and too low values will block the regular requests. Hence it is very important to configure appropriate values for both source and destination IP Address.
DoS Settings
Attack definition can be defined both for source and destination
SYN Flood
SYN Flood is the attack in which large numbers of connections are sent so that the backlog queue overflows. The connection is created when the victim host receives a connection request and allocates for it some memory resources. A SYN flood attack creates so many half-open connections that the system becomes overwhelmed and cannot handle incoming requests any more.
Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and destination.
Select Apply Flag checkbox to apply the SYN flood definition and control the allowed number of packets.
Source Traffic Dropped displays number of source packets dropped in case source packet rate control is applied.
Destination Traffic Dropped displays number of packets dropped in case destination packet rate control is applied.
Click SYN Flood to view the real-time updates on flooding. It displays the source IP Address - which was used for flooding and IP Address which was targeted.
UDP Flood
User Datagram Protocol (UDP) Flood links two systems. It hooks up one system’s UDP character-generating service, with another system’s UDP echo service. Once the link is made, the two systems are tied up exchanging a flood of meaningless data.
Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and destination.
Select Apply Flag checkbox to apply the UDP flood definition and control the allowed number of packets.
Source Traffic Dropped displays number of source packets dropped in case source packet rate control is applied.
Destination Traffic Dropped displays number of packets dropped in case destination packet rate control is applied.
Click UDP Flood to view the real time updates on flooding. It displays the source IP Address - which was used for flooding and IP Address which was targeted.
TCP Flood
TCP attack sends huge amount of TCP packet so that the host/victim computer cannot handle, thereby denying service to legitimate TCP users.
Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and destination.
Select Apply Flag checkbox to apply the TCP flood definition and control the allowed number of packets.
Source Traffic Dropped displays number of source packets dropped in case source packet rate control is applied.
Destination Traffic Dropped displays number of packets dropped in case destination packet rate control is applied.
ICMP/ICMPv6 Flood
ICMP/ICMPv6 attack sends huge amount of packet/traffic so that the protocol implementation of the host/victim computer cannot handle, thereby preventing legitimate packets from getting through to their destination.
Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and destination.
Select Apply Flag checkbox to apply the ICMP flood definition and control the allowed number of packets.
Click ICMP/ICMPv6 Flood to view the real time updates on flooding. It displays the source IP Address - which was used for flooding and IP Address which was targeted.
Dropped Source Routed Packets
Select Apply Flag checkbox to enable. This will block any source routed connections or any packets with internal address from entering your network.
Disable ICMP/ICMPv6 Redirect Packet
An ICMP redirect packet is used by routers to inform the hosts what the correct route should be. If an attacker is able to forge ICMP redirect packets, he or she can alter the routing tables on the host and possibly weaken the security of the host by causing traffic to flow via another path.
Disable the option to prevent the attacker from forging ICMP redirect packet.
Default - Enabled
ARP Hardening
If enabled, device will send an ARP reply only if the destination IP address is a local address configured on the incoming interface and both the sender and destination IP address are in the same subnet.
DoS Bypass Rule
The device allows to bypass the DoS rule in case you are sure that the specified source will not be used for flooding or ignore if flooding occurs from the specified source. By default, VPN zone traffic is also subjected to DoS inspection. You can also bypass DoS inspection of the traffic coming from certain hosts of VPN zone.
The DoS Bypass Rule page displays list of all the bypass rule. You can filter the list based on IP Family. The page provides option to add a new rule, update the existing rule, or delete a rule.