topic Re: DOS protection rule in General Topics

DOS protection rule

jdprovine — Wed, 07 Jun 2017 21:04:17 GMT

We are thinking of creating a DoS rule and I was wondering what the group thinks of this rule and what affect it would have.

Re: DOS protection rule

TranceforLife — Wed, 07 Jun 2017 21:11:35 GMT

I like this article. This requires planning a bit........:

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?attachment-id=1085

Re: DOS protection rule

Raido_Rattameister — Wed, 07 Jun 2017 21:18:55 GMT

Action "deny" does exactly what is says - it denies traffic.

Same as you block in security policy.

Don't enable this rule.

What you wan't to do is to "protect"

Re: DOS protection rule

jdprovine — Thu, 08 Jun 2017 13:02:09 GMT

@Raido_Rattameister

so basically with out a profile attached to this rule it is going to deny all traffice coming for the outside zone as a source to the destination zones of DMZ, net-services and working. so my question is why is there an option to do this with out a profile either to deny or block seems like protect should be your only option.

Re: DOS protection rule

jdprovine — Thu, 08 Jun 2017 13:03:11 GMT

@TranceforLife

Yes I downloaded that and I do think its a good article thanks. So is anyone doing DoS protection and how is it working for you

Re: DOS protection rule

Raido_Rattameister — Thu, 08 Jun 2017 13:04:50 GMT

I don't know why there is deny option.

I guess it is assumed you have DoS profile in place and if you fall under attack and suddenly want to block this traffic completely you can do so.

But yes this option will just deny like security policy.

Re: DOS protection rule

jdprovine — Thu, 08 Jun 2017 13:10:53 GMT

@Raido_Rattameister

Thanks thats exactly what I thought too 🙂

Re: DOS protection rule

jdprovine — Thu, 08 Jun 2017 14:09:48 GMT

@Raido_Rattameister

are you using DoS protection on your firewall? Can you add DoS protection as a profile on to you policies? I don't see a way to do that or do they stand alone

Re: DOS protection rule

Remo — Thu, 08 Jun 2017 14:19:22 GMT

@Raido_Rattameister wrote:
I don't know why there is deny option.
I guess it is assumed you have DoS profile in place and if you fall under attack and suddenly want to block this traffic completely you can do so.
But yes this option will just deny like security policy.

It's not exacly the same as security policys ... at least on more powerful hardware with FPGA's (I don't know exactly which hardware has specific FPGA's and for what features) ...

because DoS policys are processed first, so if you are under Attack or want to drop a lot of traffic because of another reason, doing this with DoS policys will affect your DP processor much less than dropping the traffic in later stages of the packet processing (security policy)

Re: DOS protection rule

jdprovine — Thu, 08 Jun 2017 14:38:09 GMT

So it isn't added as a profile to an existing policy but is hit first and then goes to the policies

Re: DOS protection rule

Raido_Rattameister — Thu, 08 Jun 2017 14:59:40 GMT

DoS protection can be set at 2 places.

One is zone protection profile that is processed first.

It is highly suggested to set it up because it does not take too much bandwitdh to fill firewall session table with lots of hping requests and take you offline.

Downside is that you don't see IP's in log (but in case of DoS do you need to see all those IPs?).

Second place is DoS policy what we are currently discussing.

This is good to use if you need to protect specific resource or you are service provider and need to limit how many concurrent sessions specific server or client can have.

Also don't use "random early drop" but "syn cookies" 😉

Re: DOS protection rule

BPry — Thu, 08 Jun 2017 15:26:04 GMT

@jdprovine,

To add, the initial policy rule that you have in your screenshot is a really poor use of the DoS protection profile and it looks like you are attempting to do Zone protection in the wrong area. When you build out DoS protection profiles you should attempt to limit them to your public services and set them up specific to that, for example you would have one for SMTP, one for DNS, one for any service that you have open to the outside world if that's doable.

Also when you are making this policy it's probably best to put things into an Allow action and look at the logs specifically so that this doesn't actually start affecting traffic until you have a baseline of the rates that are normal for your public services. DoS profiles take a little bit of time to actually setup properly and ensure that you have everything correct before you start allowing it to take action against traffic.

Re: DOS protection rule

jdprovine — Thu, 08 Jun 2017 15:27:54 GMT

FYI I am just investigating a rule that someon wants to put in and am really looking for the best way to stop a denial of service attach

Re: DOS protection rule

jdprovine — Thu, 08 Jun 2017 15:36:32 GMT

@BPry

So if we did want to do DoS, the best way would be to start out in with the allow action and base the profiles on that information.

So should I have both DoS and Zone protection set up? I think the main focus is to make sure we are not deisabled by a DoS attach and we need to figure out the best way to do that

Re: DOS protection rule

BPry — Thu, 08 Jun 2017 15:46:40 GMT

@jdprovine,

I would generally want to see both a Zone Protection profile in place along with DoS policies for any public service when setting up a firewall. Zone Protection is a good way to limit everything from a ZONE level, this protection profile however isn't specific as it looks at an entire Zone and you set limits at that level.

The DoS protection profile you can get way more granular, so for example we have a public DNS server that would be vulnerable to multiple types of attack I can protect that so that it doesn't get flooded and I can limit the amount of traffic to something that would be a 'normal' rate.

Obviously before you actually setup a DoS or a Zone Protection profile with an 'Activate' and 'Maximum' value you would want to keep lowering your 'Alert' value or someone keep track of what your normal traffic rate is. If you setup your Activate and Maximum values without knowing your normal traffic rate then your DoS and Zone Protection profiles are going to be pretty much useless as it wouldn't take your actual traffic rate into account.