https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-ddos-dos-a-public-ip-which-has-only-outbound/m-p/475326#M103447 <P>In theory this is still possible. Most DDoS attacks Palo sees now are reflection-based amplification attacks... UDP, not ICMP. (Which sounds like these are allowed in your network).&nbsp;&nbsp;</P><P>&nbsp;</P><P>Mirai botnet... reflected and amplified NTP on IoT devices with outbound rules. Is it harder with only outbound rules and hiding behind NAT? Yes. Impossible? No. Unless you know for certain all current inside devices are clean, and you know where they are 365 days a year, it's still possible. Slim, hence defense in depth, but possible.</P><P>&nbsp;</P><P>Consider also DDoS lives on loads of NAS, routers, home security kits so in some cases reflection/amplification will still come down that IPSec tunnel depending on what terminates it.</P><P>&nbsp;</P><P>+1 on the above for DoS/Zone protection profiles on zones.&nbsp;</P> Wed, 23 Mar 2022 21:29:36 GMT LAYER_8 2022-03-23T21:29:36Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-ddos-dos-a-public-ip-which-has-only-outbound/m-p/475079#M103423 Tue, 22 Mar 2022 22:14:05 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-ddos-dos-a-public-ip-which-has-only-outbound/m-p/475079#M103423 Kandarp_Desai 2022-03-22T22:14:05Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-ddos-dos-a-public-ip-which-has-only-outbound/m-p/475088#M103424 <P>Rather not play with fire and enable DoS protection and Zone protection on all outside interfaces/zones.</P> Wed, 23 Mar 2022 00:36:33 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-ddos-dos-a-public-ip-which-has-only-outbound/m-p/475088#M103424 addawes 2022-03-23T00:36:33Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-ddos-dos-a-public-ip-which-has-only-outbound/m-p/475326#M103447 <P>In theory this is still possible. Most DDoS attacks Palo sees now are reflection-based amplification attacks... UDP, not ICMP. (Which sounds like these are allowed in your network).&nbsp;&nbsp;</P><P>&nbsp;</P><P>Mirai botnet... reflected and amplified NTP on IoT devices with outbound rules. Is it harder with only outbound rules and hiding behind NAT? Yes. Impossible? No. Unless you know for certain all current inside devices are clean, and you know where they are 365 days a year, it's still possible. Slim, hence defense in depth, but possible.</P><P>&nbsp;</P><P>Consider also DDoS lives on loads of NAS, routers, home security kits so in some cases reflection/amplification will still come down that IPSec tunnel depending on what terminates it.</P><P>&nbsp;</P><P>+1 on the above for DoS/Zone protection profiles on zones.&nbsp;</P> Wed, 23 Mar 2022 21:29:36 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-ddos-dos-a-public-ip-which-has-only-outbound/m-p/475326#M103447 LAYER_8 2022-03-23T21:29:36Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-ddos-dos-a-public-ip-which-has-only-outbound/m-p/475335#M103451 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/205893">@Kandarp_Desai</a> ,</P><P>&nbsp;</P><P>Traffic from the Internet to the public IP (same zone) is allowed by the default intrazone-default rule.&nbsp; You could create an intrazone drop rule to block the traffic, and no DoS should be possible.&nbsp; Remember to create an allow rule for your IPsec tunnel first.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tom</P> Wed, 23 Mar 2022 22:13:47 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-ddos-dos-a-public-ip-which-has-only-outbound/m-p/475335#M103451 TomYoung 2022-03-23T22:13:47Z