Prevent DoS and DDoS attacks
Best practices for protecting your network from Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks.
Protect your network from a DoS attack
You can protect your network against DoS attacks for both IPv4 and IPv6 traffic by configuring the appropriate DoS settings.
- Go to Intrusion prevention > DoS & spoof protection.
-
Under DoS settings, set the packet and burst rates according to your network traffic, and select Apply Flag next to each setting.
For example, for ICMP/ICMPv6 flood, we've set Packet rate per Source (Packet/min) to
1200
and selected Apply Flag next to it to turn on scanning for ICMP and ICMPv6 traffic. -
Click Apply.
When the DoS settings are applied, the firewall checks the network traffic to make sure that it doesn't exceed the configured limit.
In the example, the firewall scans the network traffic for ICMP and ICMPv6 packets. If the number of ICMP and ICMPv6 packets from a specific source exceeds 1200 per minute, it drops the excessive packets and continues dropping until the attack is over.
Protect your network from a DDoS attack
You can protect your network against DDoS attacks by using intrusion prevention policies.
Note
DDoS signatures are only available in XGS 5500 and higher-capacity firewalls.
- Go to Intrusion prevention > IPS policies.
- Click Add.
- Enter a name for the policy. For example,
DDoS_Protection
. - Click Save.
- Click Edit for the
DDoS_Protection
policy. - Click Add.
- For Smart filter, type
ddos
and press Enter. - Set Action to Drop packet.
- Click Save, then click Save.
-
Go to Rules and policies and apply the intrusion prevention policy to a firewall rule.
More resources