How to Set Up DoS Protection
Using a DoS protection rulebase, administrators can configure policies to protect themselves from DoS attacks. The rulebase to configure this can be found under Policies > DoS Protection. These policies can be configured to match zone, interface, IP address or user information as match conditions.
Using DoS protection profiles, you can create DoS rules much like security policies, allowing traffic based on the configured criteria. These profiles are configured under the Objects tab > Security Profiles > DoS Protection.
First, you will need to specify the profile type. You can choose between aggregate or classified.
- Aggregate: Apply the DoS thresholds configured in the profile to all packets that match the rule criteria on which this profile is applied. For example, an aggregate rule with a SYN flood threshold of 10000 packets per second (pps) counts all packets that hit that particular DoS rule.
- Classified: Apply the DoS thresholds configured in the profile to all packets satisfying the classification criterion (source IP, destination IP or source-and-destination IP).
The DoS protection profiles can be used to mitigate several types of DoS attacks.
Flood protection is similar to the one used in zone protection profiles. For SYN floods, we have SYN Cookie and Random Early Drop (RED) as available options. For the other types of flood, RED is used. You'll notice the same configuration options as in zone protection profiles. In addition, there's also Block Duration, which is the time in seconds that the offending IP address will be denied.
In addition to flood protection, we also offer resources protection. This type of protection enforces a quota for your hosts. It restricts the maximum number of sessions allowed for a particular source IP address, destination IP address or IP source-destination pair.
Next we'll go to Policies > DoS Protection to create a DoS policy similar to the way we create a security rule.
As you can see, most parameters are similar to security rules.
After giving the rule a name, configuring the source, destination and services, you can attach the profile to your rule using the Aggregate dropdown or you can click New DoS Protection to create a new one.
The different actions are deny/allow/protect.
Deny - Drop all traffic
Allow - Permit all traffic
Protect - Enforce protections supplied in the thresholds that are configured as part of the DoS profile applied to this rule.
Using the Schedule dropdown, you can assign a schedule to apply the DoS rule to a specific date/time.
Using the Log Forwarding dropdown, you can configure log forwarding to forward your threat log entries to an external service such as a syslog server or Panorama.
For the sake of this tutorial, I already created a classified DoS protection profile type. If you activate the checkbox, you can select the classified profile type using the Profile dropdown menu. Below, in the Address dropdown, you can select the classification criteria I mentioned earlier (source-ip-only / destination-ip-only / src-dest-ip-both).
In the example, you can have both an aggregate and a classified DoS protection profile configured to the same DoS rule.
Click OK and Commit to save your configuration.
Using the CLI, verify your DoS rules settings using the following command:
> show dos-protection rule <name> settings
As seen in the example, we have a DoS rule with
- name = DosRule
- aggregate profile = DosProtection
- classified profile = Dos_classified
- classification criteria = source-only
- action = Protect
In the output, you will also see all the thresholds you've configured in the profiles.
This concludes the video on DoS protection. Feel free to leave any comments in the comments section below.
Below are links to other useful documents with examples and topics we discussed in the video: