topic Re: TCP / UDP Flood in General Topics

TCP / UDP Flood

s_quasar — Tue, 12 Nov 2019 16:40:12 GMT

Hi all,

I have set up a dos rule from outside to my server zone.

Why sometimes I can see attacker and victim IP and sometimes not?

Re: TCP / UDP Flood

myky — Tue, 12 Nov 2019 17:12:42 GMT

Its is expected:

chrome-extension://oemmndcbldboiebfnladdacbdfmadadm/https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka10g000000D82ZAAS&field=Attachment_1__Body__s

Re: TCP / UDP Flood

BPry — Tue, 12 Nov 2019 22:13:59 GMT

@s_quasar,

Depends heavily on what type of profile you have configured and what profile they actually hit; Classified will be able to provide you a source-ip because there is a sole address to give you, while Aggregate won't give you a source-ip because it accounts for anything connecting to that protected resource.

Re: TCP / UDP Flood

s_quasar — Tue, 12 Nov 2019 22:21:37 GMT

I supposed this. Maybe I can see specific IP attacker and victim because before I activeted a classified rule (now is aggregate).

See the IPs is very useful because I can check in other websites if it is a bad or good IP.

Maybe I can use an aggregate rule as a test and than activete again a classified rule.

Re: TCP / UDP Flood

BPry — Tue, 12 Nov 2019 22:30:09 GMT

@s_quasar,

Remember that you can assign both an aggregate profile and a classified profile in the same DoS entry. If you are just working on building these out now, it might be best to follow this method:

Set Alarm connection rates about where you expect it to be
Set Activate Rate to an extremely high value (100,000)
Set Max Rate to an extremely high value (100,000)

You can play around with the alarm rate and watch the logs to see when you actually start getting alerts and start to narrow down what your Activate and Max rates should be under normal traffic loads. The only thing that you won't be able to really analyze like this is the max concurrent session limit, but that should be easily generated from your logs and your session table over a period of time.