DoS & spoof protection

To prevent spoofing attacks, you can restrict traffic to only that which matches recognized IP addresses, trusted MAC addresses, and IP-MAC pairs. You can also set traffic limits and flags to prevent DoS attacks and create rules to bypass DoS inspection. The firewall logs dropped traffic.

  • To protect against spoofing attacks, select Enable spoof prevention, specify settings and zones, and click Apply. To drop traffic from an unknown IP address on a trusted MAC address, select Restrict unknown IP on trusted MAC.
  • To add a trusted MAC address, scroll to Spoof protection trusted MAC and click Add. To import addresses, click Import.
  • To protect against DoS attacks, scroll to DoS settings, specify settings, and click Apply. To view the current status of DoS attacks, click the link provided.
  • To bypass DoS inspection for a specified IP address or port, scroll to DoS bypass rule and click Add.

Spoof protection general settings

Specify the type of spoof prevention and the zones that you want to protect.

IP spoofing
If the source IP address of a packet does not match any entry on the firewall’s routing table or if the packet is not from a direct subnet, the firewall drops the packet.
MAC filter
If the packet does not specify a MAC address that is listed as a trusted MAC address, the firewall drops the packet.
Note To select MAC filter, you need to add at least one trusted MAC address.
IP–MAC pair filter
An IP–MAC pair is a trusted MAC address that is bound to an IP address. For a match to occur, both the IP and MAC address of an incoming packet must match an IP–MAC pair. If either the IP or MAC address does not match any pair, the firewall drops the packet.

Spoof protection trusted MAC

Use trusted MAC addresses with the MAC filter setting to allow traffic for specified hosts.

When you bind a trusted MAC address to an IP address, the firewall matches traffic with the IP–MAC pairs and filters traffic based on the settings specified for the IP–MAC pair filter.

DoS settings

You can specify limits on sent and received traffic and flag DoS attacks to prevent flooding of network hosts.

Tip Specify limits based on your network specifications. Values that exceed your available bandwidth or server capacity may affect performance. Values that are too low may block valid requests.
Table 1. Attack types

Name

Description

SYN flood

High rate of SYN requests, forcing the target server to create increasing number of half-open connections.

UDP flood

High rate of UDP packets, forcing the target host to check for the application listening at the port and reply with an increasing number of ICMP packets.

TCP flood

High TCP packet rate.

ICMP/ICMPv6 flood

High rate of ICMP/ICMPv6 echo requests.

Dropped source routed packets

Drop packets that specify the packet route.

Disable ICMP/ICMPv6 redirect packet

Disable ICMP/ICMPv6 redirect packets, which inform hosts of an alternative route.

ARP hardening

Allow endpoints to send ARP replies only to local destination IP addresses and only if source and destination IP address are on the same subnet.

Packet rate
Number of packets that each host can send or receive per minute.
Burst rate
Occasional traffic spike allowed above the packet rate to each host.
Note With burst rate, you can allow traffic to exceed the packet rate occasionally. However, the firewall doesn’t allow frequent or sustained spikes above the packet rate.
Apply flag
Apply the traffic limit specified for the protocol.
Traffic dropped
Number of source or destination packets dropped. The statistics are accumulated since the last Sophos Firewall restart.

DoS bypass rule

You can bypass DoS settings for known hosts for the specified ports and protocols. For example, you can allow traffic of a VPN zone or specific hosts of the VPN zone to bypass DoS inspection.

Additional information

Packet rate: Sophos Firewall allows TCP traffic for a specific source or destination if packets come in below the rate given. Otherwise, Sophos Firewall drops the traffic.

Burst rate: Sophos Firewall allows this amount of packets initially, without checking the packet rate.

DoS protection works on a source or destination basis, so the packet rate and burst rate apply to either source or destination.

Sophos Firewall checks for a bypass rule first and then applies DoS protection to the remaining traffic.

Sample flow

  1. Sophos Firewall allows the first 100 packets (up to burst rate), and after 100 packets, it checks the rate of the incoming packets. If the packets come below the configured packet rate, Sophos Firewall accepts them. If the packets come above the configured packet rate, Sophos Firewall declares the traffic as an ARP flood attack attempt and drops the packets.
  2. When a new packet arrives from the IP address that generated the traffic, Sophos Firewall checks whether the last packet from the same source arrived within thirty seconds.
  3. If the last packet arrived within thirty seconds, Sophos Firewall drops the packet and logs it as an ARP flood attack attempt.
  4. If the last packet didn't arrive within thirty seconds, Sophos Firewall excludes the source and allows traffic. If Sophos Firewall doesn't receive any traffic from the source IP address after thirty seconds, it isn't added to the allow list, and traffic from that IP address is still classed as an ARP flood attack attempt.