Will DoS Protection Block IP or Block Service of IP when Max Rate Threshold is Exceeded?

Shiling — Sat, 27 Mar 2021 00:45:59 GMT

For the following scenario, will DoS block destination IP or block service of the destination IP?

If a DoS protection policy include destination IP and Services to protect an internet facing server, for example source any destination 1.1.1.1 service UDP port 80, then action protection, address destination-ip-only and a DoS security profile which will only check UDP Flood CPS. When there is a DoS attack to UDP port 80, and DoS protection kicked in and max rate is exceeded, will only all UDP port 80 traffic to 1.1.1.1 be dropped or all traffic to destination 1.1.1.1 dropped by DoS protection? I am hoping the former will be true, since the later one basically completes the goal of bringing the target IP 1.1.1.1 offline.

Is DoS protection use block-table only to check the future drop or combination of session table and block-table?

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-policy-rules

In addition to protecting service ports in use on critical servers, you can also protect against DoS attacks on the unused service ports of critical servers. For critical systems, you can do this by creating one DoS Protection policy rule and profile to protect ports with services running, and a different DoS Protection policy rule and profile to protect ports with no services running. For example, you can protect a web server’s normal service ports, such as 80 and 443, with one policy/profile, and protect all of the other service ports with the other policy/profile. Be aware of the firewall’s capacity so that servicing the DoS counters doesn’t impact performance.

Thanks,

Shiling

Re: Will DoS Protection Block IP or Block Service of IP when Max Rate Threshold is Exceeded?

Shiling — Sat, 27 Mar 2021 11:51:36 GMT

To add a little background, I got around 800Kpps UDP port 80 DDoS which overrun on-chip buffer descriptor and packet buffer resulted in good traffic drops. The target server is a web server, and security policy is permitting tcp port 80 and 443.

I am trying to see how can I use DoS to protect port without service running. Ultimately, I am thinking how can I utilize DoS to drop flow_policy_deny traffic in fastpath or offload path as describe in the KB blow:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBjNCAW&lang=en_US%E2%80%A9

HIGH ON-CHIP DESCRIPTOR AND PACKET BUFFER USAGE DUE TO POLICY DENY RESULTING IN TRAFFIC LATENCY AND DROPS

topic Re: Will DoS Protection Block IP or Block Service of IP when Max Rate Threshold is Exceeded? in General Topics

Will DoS Protection Block IP or Block Service of IP when Max Rate Threshold is Exceeded?

Re: Will DoS Protection Block IP or Block Service of IP when Max Rate Threshold is Exceeded?