DoS & Zone with no downtime

Showing results for 
Search instead for 
Did you mean: 

DoS & Zone with no downtime

L4 Transporter

I watched a webinar on DoS protection the other day and they brought up a good point that I want to know if it is possible on the PA. They mentioned that setting up DoS can mittigate the DoS attach but allow interupt system availability, "throwing the baby out with the bath water".   How can I have a proactive response?   stop it before it interfers? (I tried to quote Barney Fife but it wouldn't let me)


Cyber Elite
Cyber Elite


What we do it set the action to block-ip for an hour. That way its less impactful. However the only way to block it from hitting the PAN in the ifrst plavce would be to contact your ISP and ask them to perform the blocks of those IP's that are attaching you.


Hope that makes sense.




Interesting approach so your ISP is willing to protect you against DoS attack? I don't usually deal with the ISP ,of which we have 3, but it would be worth asking. But it sounds like you are asked to provide specific IP addresses, how do you deal with a sudden DoS attack?

When you do your 1 hour block are you just blocking a specific IP? I am hoping to not block any operations on my side but only block the DoS attack.


Yes the block-ip option only blocks the IP address the attack was coming from. So unless there is normal business operations that look like attacks, you should be OK. Also when/if we ask the ISP to block a certain IP address for us, it is only that IP address going to our IP space. This is something I have only done once in my carreer. 


Hope that helps.


So what kind of fee does the ISP charge you for this kind of service?

Obviously every ISP is different. However in our case it was at no cost.




WOW 😮 lucky you

Many ISP offer a Remote Trigger Black Hole to BGP peered clients as part of the service.  You can advertise any /32 of your own IP space to the peer and the ISP will then upstream black hole traffic being sent to that IP address.


Obviously, when you choose to do this the DDoS has won as you are voluntarily taking the IP address from your own space offline.  But this can be the best option available to prevent collateral damage in an active attack.


You can also change DNS for the applications under attack to use a different IP in your space at the same time to transition the service.  In anticipation of this type of move you should set a TTL of 5 minutes on your production DNS records that may make use of this method to assist in transitioning them in a reasonable amount of time should the need arise.


Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L2 Linker

Most ISPs offer DDOS protection at additional cost. This is ideal as just relying on blocking only at the firewall level can still overwhelm an internet circuit, better to block upstream where possible.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!