topic Re: High amount of traffic to exchange server in General Topics

High amount of traffic to exchange server

Mohammed_Yasin — Tue, 30 Mar 2021 06:22:40 GMT

We are seeing a high amount of traffic coming from outside public IPs to our exchange server. It's more than 2GB and sometimes more than 4GB of traffic. Initially, we blocked these IPs in firewall policy but every time after blocking the IPs, some more new public IPs keep coming with high traffic.

We are suspecting maybe it's some kind of attack because we don't see this high amount of traffic before. Need to investigate this to block the traffic if it's a kind of attack.

Is there any option to configure alerts to receive if anyone IPs utilizing more than 100MB of traffic?

Re: High amount of traffic to exchange server

nikoolayy1 — Tue, 30 Mar 2021 12:00:07 GMT

Have you tried to use DDOS policy that only alerts ?

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dos-protection/dos-protection-against-flooding-of-new-sessions/end-a-single-session-dos-attack.html

Also if needed enable addtional treat logs:

https://live.paloaltonetworks.com/t5/blogs/pan-os-8-1-2-introduces-new-log-options/ba-p/217858

If it is layer 7 ddos you may need to do SSL inbound Decription and make custom signature about how to block the traffic based on common things in the HTTP requests of the attackers. This may help:

https://live.paloaltonetworks.com/t5/automation-api-discussions/version-10-no-7-byte-limit-for-sinatures-examples-for-layer-7-l7/td-p/394734

Re: High amount of traffic to exchange server

kiwi — Tue, 30 Mar 2021 11:59:37 GMT

Hi @Mohammed_Yasin ,

You might want to look into Zone protection / Dos protection :

Cheers !

-Kiwi.