Distributed Denial of Service (DDoS), what can I do to protect myself?
byreaper02-15-201701:22 AM - edited 03-06-201710:43 AM
Distributed Denial of Servide (or DDoS for short) attacks are all too common in today's internet of things. It's very cheap to rent (yes people are renting infected machines!) an army of infected hosts (including infected refridgerators and home thermostats!) to lay siege to a network of your choosing.
Because it has gotten so easy to organize a DDoS attack, the reasons behind such attacks have gotten more diverse as well. In the past one needed skill and determination, so attacks were ideological or for massive profit. Today, disgruntled employees or upset neighbours with a little internet savy could set up a DDoS on their target of choice.
Luckily, defending against these sorts of attacks is not that difficult, I'm going to highlight some of the available options below (and have provided links to more complete HowTo materials at the bottom if you want to dig deeper).
One important thing to note before we get started is that Zone Protection provides protection at the ingress zone, the zone where traffic enters the firewall. So if you want to protect your DMZ from traffic originating from the internet (untrust), you will need to add a protection profile on the untrust interface.
The first tab of the zone protection profile (under Network > Network Profiles > Zone Protection) lands you on the settings you need:
There are 2 types of protection available: Random Early Drop and SYN cookies. Both require a slightly different approach to the Activate and Alert treshold:
Random Early Drop will randomly discard syn packets once the activate treshold is surpassed and will increasingly discard more packets the closer the total connections/second get to the Maximum limit. once the maximum limit is reached all new SYN packets exceeding the maximum connections per second will be discarded. Since this method indiscriminately discards SYN packets, it is recommended to set the activate rate as high as possible (some research required to determine your network's baseline)
A more intelligent method, which I'd recommend, is the SYN cookie where the firewall acts as a handshake proxy: incoming sy packets are not immediately put into the session table but rather a cookie is generated and sent back to the source. If the sender fails to respond with an appropriate ACK containing the cookie, or at all, the SYN packet is dropped and no session gets created. If the source does reply, the syn is passed along to the internal server and a session is created. SYN cookies are safe to activate at 1 connection per second.
Furthermore, you can activate a few other protections:
Reconnaissance Protection prevents culprits from scanning your valuables
Packet Based Attacks blocks malformed (malicious or otherwise) packets from entering your network
and Protocol Protection allows you to integrally block (include or exclude) any protocols you might not like (like PPP or GRE)
Keep in mind that zone protection will cover a whole 'zone' which may include several different client-server permutations. And the total throughput for the zone may not correspond to what one single server is able to indure: a more subtle version of DDoS may target a single server to just bring it to the brink of failure, but not trigger the whole Zone Protection.
To protect a single resource, DoS protection policies can be created to apply finely tuned micro-profiles:
The principles are the same as zone protection, except the values are tuned to the server's limits. a block duration was added to put any offending source IP addresses on a block list for a duration of time, and the maximum concurrently active sessions can also be regulated, not to oversubscribe a server
For a complete guide (including a HowTo video), check out these articles: