DoS & spoof protection

To prevent spoofing attacks, you can restrict traffic to only that which matches recognized IP addresses, trusted MAC addresses, and IP–MAC pairs. You can also set traffic limits and flags to prevent DoS attacks and create rules to bypass DoS inspection. The firewall logs dropped traffic.

  • To protect against spoofing attacks, select Enable spoof prevention, specify settings and zones, and click Apply. To drop traffic from an unknown IP address on a trusted MAC address, select Restrict unknown IP on trusted MAC.
  • To add a trusted MAC address, scroll to Spoof protection trusted MAC and click Add. To import addresses, click Import.
  • To protect against DoS attacks, scroll to DoS settings, specify settings, and click Apply. To view the current status of DoS attacks, click the link provided.
  • To bypass DoS inspection for a specified IP address or port, scroll to DoS bypass rule and click Add.

Spoof protection general settings

Specify the type of spoof prevention and the zones that you want to protect.

IP spoofing
If the source IP address of a packet does not match any entry on the firewall’s routing table or if the packet is not from a direct subnet, the firewall drops the packet.
MAC filter
If the packet does not specify a MAC address that is listed as a trusted MAC address, the firewall drops the packet.
Note To select MAC filter, you need to add at least one trusted MAC address.
IP–MAC pair filter
An IP–MAC pair is a trusted MAC address that is bound to an IP address. For a match to occur, both the IP and MAC address of an incoming packet must match an IP–MAC pair. If either the IP or MAC address does not match any pair, the firewall drops the packet.

Spoof protection trusted MAC

Use trusted MAC addresses with the MAC filter setting to allow traffic for specified hosts.

When you bind a trusted MAC address to an IP address, the firewall matches traffic with the IP–MAC pairs and filters traffic based on the settings specified for the IP–MAC pair filter.

DoS settings

You can specify limits on sent and received traffic and flag DoS attacks to prevent flooding of network hosts.

Tip Specify limits based on your network specifications. Values that exceed your available bandwidth or server capacity may affect performance. Values that are too low may block valid requests.
Table 1. Attack types

Name

Description

SYN flood High rate of SYN requests, forcing the target server to create increasing number of half-open connections.
UDP flood High rate of UDP packets, forcing the target host to check for the application listening at the port and reply with an increasing number of ICMP packets.
TCP flood High TCP packet rate.
ICMP/ICMPv6 flood High rate of ICMP/ICMPv6 echo requests.
Dropped source routed packets Drop packets that specify the packet route.
Disable ICMP/ICMPv6 redirect packet Disable ICMP/ICMPv6 redirect packets, which inform hosts of an alternative route.
ARP hardening Allow endpoints to send ARP replies only to local destination IP addresses and only if source and destination IP address are on the same subnet.
Packet rate
Number of packets that each host can send or receive per minute.
Burst rate
Occasional traffic spike allowed above the packet rate to each host.
Note With burst rate, you can allow traffic to exceed the packet rate occasionally. However, the firewall doesn’t allow frequent or sustained spikes above the packet rate.
Apply flag
Apply the traffic limit specified for the protocol.
Traffic dropped
Number of source or destination packets dropped.

Packet and burst rates

Packet rate per source: 12000 packets per minute (200 packets per second).

Burst rate per source: 300 packets per second.

The firewall allows a host to send up to 200 packets per second. If traffic spikes to 250 packets (up to burst rate) in a particular second, the firewall allows the traffic. However, if the spike continues above the packet rate for a few seconds, the firewall drops the traffic and allows only 200 packets (packet rate). Thirty seconds after dropping the traffic, the firewall restarts the packet rate and burst rate counter.

DoS bypass rule

You can bypass DoS settings for known hosts for the specified ports and protocols. For example, you can allow traffic of a VPN zone or specific hosts of the VPN zone to bypass DoS inspection.