Can the PAN device block HTTP Dos Attacks?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
Not applicable

Can the PAN device block HTTP Dos Attacks?

Hello Guys,

I'm going to do some service availability test in the near future. We can't get any information of the attack pattern. The only information we know is that the tester will conduct these attack.

  • HTTP CC(cache-control) attack
  • Slowloris attack
  • Http post attack
  • Http Hash dos attack

I'm afraid that those attack patterns seem to be normal for the PAN device (It's like brute force attack, working base on the threshold value)

I've heard that the best way to block these kinds of attacks is the setting server's timeout value or  threshold value.

But I have to find out some way to do this job with PAN.

Can we block those attack with IPS Dos Signature or Custom Signature?  If we can, does anyone know how set-up to the custom signature for those attacks?

Regards,


Accepted Solutions
Highlighted
L3 Networker

Hi hjlee.

You can make a custom signature easily using as below info

스크린샷 2013-06-27 11.24.41 AM.png

But It's not important thing in real world because 7.7 DDOS attack of Korea was not related certainly above and HTTP Get flooding and UDP flooding that made it.

Thanks.

Regards,

Roh

View solution in original post


All Replies
Highlighted
L4 Transporter

Hi

you can found explanation for DOS protection by paloalto with this doc https://live.paloaltonetworks.com/docs/DOC-5078

but there is no information in this doc about HTTP DDOS.

I'm interresting in hhtp ddos too

Highlighted
L4 Transporter

http ddos could be limited by rate limiting

Highlighted
L5 Sessionator

Ref : Resources Protection Page : 38 and

Appendix D: Slow HTTP Test Output

Highlighted
Not applicable

I think these attacks can exhaust server resource with normal Http transaction, and before the the server reaches its max concurrent connection limits, its resource worn out ..

And PA's Dos Protection uses Layer 3~4 information, those attacks are based on Layer 7 information (Http get, post value etc...). In my opinion I should be able to set up Http get method threshold.

Highlighted
L4 Transporter

You right about get flood,  but when a get request is sent you sent a tcp request and it 's why if you implement rate limiting you minimize the impact of this kind of attack

see how to implement QOS

Highlighted
Not applicable

I've found one IPS signatures which can block HTTP Slowloris attack.. :smileygrin:

Attack NameHTTP: Apache Denial Of Service Attempt
DescriptionThis event indicates that someone want to exhaust the apache resources, as described by slowloris.
Threat ID40018
Referenceshttps://threatvault.paloaltonetworks.com/Home/ThreatDetail/40018
Severityhigh
Categorybrute-force
Highlighted
L4 Transporter

good to know!!

Highlighted
L3 Networker

I think it's not exact for your case. HTTP: Apache DOS signature that triggered only 40 times in 60 second and only Apache related case. In my case I created a Custom Signature for HTTP post, CC that blocked in security rule while having BMT.

Highlighted
Not applicable

Dear My Lovely Roh..

Can you send me the custom signature information that you used for the BMT? :smileygrin:

Thanks ahead..

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!