topic Re: DOS protection alert test in General Topics

DOS protection alert test

raji_toor — Thu, 04 Oct 2018 17:47:31 GMT

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClL3CAK

I am using the above linked KB to create DOS profile and policy for a particular server, but i have not changed the defaults as i donot want it start actioning on it right away. I have set the alarm rate to 1 and 2 connections per second for classified and aggregate profiles. Although this is a busy server i donot see any alerts.

Re: DOS protection alert test

BPry — Thu, 04 Oct 2018 18:52:34 GMT

@raji_toor,

That article is only going into how to build out the profile. You need to build this into a DoS Protection Policy so that it actually works. Look under the 'Policies' > 'DoS Protection' on the GUI and build out the policy there.

FYI, make sure you've set your 'activate' and 'maximum' values way past what you would ever expect them to be if you don't want this to do anything for the traffic, esspecially if you've created aggregate profiles instead of Classified.

Re: DOS protection alert test

raji_toor — Thu, 04 Oct 2018 19:44:55 GMT

@BPry I used the document step by step, creating profiles and then using those profile in DOS policy. Also as the document shows server is behind NAT with DOS policy selected as untrust to untrust. And thanks for reminding me again, yes the activate and maximum values are way past.

show dos-protection rule TEST-DOS settings

Rule: TEST-DOS, idx: 0, id: 4
Aggregate profile: TEST-DOS-AGG
Classified profile: TEST-DOS-CLA
Classification Criteria: source-only
Action: protect
Log Forwarding profile: Panorama

Aggregate profile: TEST-DOS-AGG
------------------------------------------------------------------------------------------
tcp-syn SYN cookie enabled: yes
DP alarm rate: 2 cps, activate rate: 40000 cps, maximal rate: 40000 cps
block duration: 300 sec
------------------------------------------------------------------------------------------
udp RED enabled: yes
DP alarm rate: 2 cps, activate rate: 40000 cps, maximal rate: 40000 cps
block duration: 300 sec
------------------------------------------------------------------------------------------
icmp RED enabled: yes
DP alarm rate: 2 cps, activate rate: 40000 cps, maximal rate: 40000 cps
block duration: 300 sec
------------------------------------------------------------------------------------------
other-ip RED enabled: yes
DP alarm rate: 2 cps, activate rate: 40000 cps, maximal rate: 40000 cps
block duration: 300 sec
------------------------------------------------------------------------------------------
icmpv6 RED enabled: no
------------------------------------------------------------------------------------------
session: enabled: yes
DP limit: 40000
------------------------------------------------------------------------------------------

show dos-protection rule TEST-DOS statistics

Rule: TEST-DOS, idx: 0, id: 4
Aggregate profile: TEST-DOS-AGG
Classified profile: TEST-DOS-CLA
Classification Criteria: source-only
Action: protect
Log Forwarding profile: Panorama

Aggregate profile: TEST-DOS-AGG
------------------------------------------------------------------------------------------
tcp-syn
current: 3, dropped: 0
------------------------------------------------------------------------------------------
udp
current: 0, dropped: 0
------------------------------------------------------------------------------------------
icmp
current: 0, dropped: 0
------------------------------------------------------------------------------------------
other-ip
current: 0, dropped: 0
------------------------------------------------------------------------------------------
icmpv6
current: 0, dropped: 0
------------------------------------------------------------------------------------------
sessions
current: 331, dropped: 0
------------------------------------------------------------------------------------------

Classified profile: TEST-DOS-CLA
------------------------------------------------------------------------------------------
tcp-syn
current: 0, dropped: 0
------------------------------------------------------------------------------------------
udp
current: 0, dropped: 0
------------------------------------------------------------------------------------------
icmp
current: 0, dropped: 0
------------------------------------------------------------------------------------------
other-ip
current: 0, dropped: 0
------------------------------------------------------------------------------------------
icmpv6
current: 0, dropped: 0
------------------------------------------------------------------------------------------
sessions
current: 331, dropped: 0
ip tracked: 470, ip blocked: 0
------------------------------------------------------------------------------------------

Re: DOS protection alert test

raji_toor — Thu, 04 Oct 2018 20:32:51 GMT

I was looking at wrong place. I was searching for server IP as destination in threat logs, but instead it shows up as TCP Flood with source and destination both as 0.0.0.0.

How would i tell from these logs, which one of our servers are being targeted.

Re: DOS protection alert test

BPry — Thu, 04 Oct 2018 21:32:53 GMT

@raji_toor,

By the name of the policy. The logs that get generated don't offer much additional information you could use to identify which servers are actively being targeted.

Re: DOS protection alert test

raji_toor — Fri, 05 Oct 2018 16:23:32 GMT

@BPry Any thoughts on how would that be achieved.

Re: DOS protection alert test

BPry — Fri, 05 Oct 2018 16:47:11 GMT

@raji_toor,

If you go into the log details under 'General' you'll see the actual rule that was triggered. If you setup a forwarding for these logs to say your email, it will also include this information.

Re: DOS protection alert test

raji_toor — Fri, 05 Oct 2018 17:06:02 GMT

@BPry Yes i get that the rule name will help in identifying what server is being targeted. But that also means i have to create a separate DOS rule for each of our servers.

Re: DOS protection alert test

BPry — Fri, 05 Oct 2018 17:11:05 GMT

@raji_toor,

Well...ya...but wouldn't you want to as no one service will baseline the same as another. For instance I break ours out to the service level and then set classified profiles to utilize source and destination IP. I don't necissarly care what individual server is being hit, I care that the service itself has bypassed norms.

So for example I might have a DoS profile for any publically available service, so 'Mail' 'Docs' 'MapServices', 'WiseDecade' and the like would all get their own individual DoS policy. If you break it up on the service level you don't necissarly need to do one for each server, just each public service.