Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/wifi/help/en-us/index.html?contextId=management-dos-settings

DoS settings

You can configure AP6 access points to monitor and block denial-of-service (DoS) attacks. A DoS attack is a type of network traffic intended to overwhelm a host and disrupt its network connectivity.

DoS attacks

Select Enable or Disable for DoS attacks to turn DoS protection on or off.

AP6 DoS settings protect against the following attacks:

  • Syn floods (HTTPS): An HTTPS SYN flood attack makes the access point unavailable by flooding it with false connection requests, preventing it from responding to legitimate HTTPS connection requests.
  • Syn floods (SSH): A SSH SYN flood attack works the same way as an HTTPS SYN flood attack, except that it prevents the access point from responding to SSH connection requests.
  • ICMP: An ICMP DoS attack floods the access point with ICMP traffic, such as ping or traceroute, to overwhelm its resources as it tries to respond to each one.
  • ARP: An ARP DoS attack usually takes the form of an ARP storm, where a device floods the network with false ARP packets to overwhelm devices as they try to process them.

Settings

Depending on the type of attack, you can configure the following settings:

  • Limit: This value specifies the maximum number of packets of that type the access point accepts per second.
  • Limit-burst: This value allows a single, larger burst of certain packets before the access point enforces the Limit.
  • Per-client limits: This value operates the same as Limit, but the access point enforces it for each device separately.
  • Per-client limits-Burst: This is the same as the Limit-burst value, but the access point enforces it for each device separately.
  • Log limit: This value controls the amount of packets per minute that are are logged. Limiting the amount of packets logged reduces CPU usage and prevents log flooding.

Advanced DoS setting

Select Enable or Disable for Advanced DoS setting to turn the advanced DoS setting on or off.

Note

Turning the advanced DoS setting on and setting the DoS thresholds too low may have a performance impact. The DoS threshold allows for 10,000 packets per second to prevent TCP flood attacks. This packet threshold is applied to all devices connected to the access point where the DoS feature has been turned on.

For information about the settings you can configure, see Settings.

Account Threshold and Lockout duration

You can also configure the access point to protect against brute-force attacks on administrator accounts by configuring the following settings:

  • Account Threshold: This value sets the allowed number of failed login attempts for an account before it's locked.
  • Lockout duration: Set the amount of time, in seconds, that an account is locked for after reaching the maximum number of failed login attempts.