DOS protection alert test

Reply
L4 Transporter

DOS protection alert test

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClL3CAK

 

I am using the above linked KB to create DOS profile and policy for a particular server, but i have not changed the defaults as i donot want it start actioning on it right away. I have set the alarm rate to 1 and 2 connections per second for classified and aggregate profiles. Although this is a busy server i donot see any alerts.


Accepted Solutions
Cyber Elite

@raji_toor,

Well...ya...but wouldn't you want to as no one service will baseline the same as another. For instance I break ours out to the service level and then set classified profiles to utilize source and destination IP. I don't necissarly care what individual server is being hit, I care that the service itself has bypassed norms. 

So for example I might have a DoS profile for any publically available service, so 'Mail' 'Docs' 'MapServices', 'WiseDecade' and the like would all get their own individual DoS policy. If you break it up on the service level you don't necissarly need to do one for each server, just each public service. 

View solution in original post


All Replies
Cyber Elite

@raji_toor,

That article is only going into how to build out the profile. You need to build this into a DoS Protection Policy so that it actually works. Look under the 'Policies' > 'DoS Protection' on the GUI and build out the policy there. 

FYI, make sure you've set your 'activate' and 'maximum' values way past what you would ever expect them to be if you don't want this to do anything for the traffic, esspecially if you've created aggregate profiles instead of Classified. 

L4 Transporter

@BPry I used the document step by step, creating profiles and then using those profile in DOS policy. Also as the document shows server is behind NAT with DOS policy selected as untrust to untrust. And thanks for reminding me again, yes the activate and maximum values are way past.

 

show dos-protection rule TEST-DOS settings

Rule: TEST-DOS, idx: 0, id: 4
Aggregate profile: TEST-DOS-AGG
Classified profile: TEST-DOS-CLA
Classification Criteria: source-only
Action: protect
Log Forwarding profile: Panorama


Aggregate profile: TEST-DOS-AGG
------------------------------------------------------------------------------------------
tcp-syn SYN cookie enabled: yes
DP alarm rate: 2 cps, activate rate: 40000 cps, maximal rate: 40000 cps
block duration: 300 sec
------------------------------------------------------------------------------------------
udp RED enabled: yes
DP alarm rate: 2 cps, activate rate: 40000 cps, maximal rate: 40000 cps
block duration: 300 sec
------------------------------------------------------------------------------------------
icmp RED enabled: yes
DP alarm rate: 2 cps, activate rate: 40000 cps, maximal rate: 40000 cps
block duration: 300 sec
------------------------------------------------------------------------------------------
other-ip RED enabled: yes
DP alarm rate: 2 cps, activate rate: 40000 cps, maximal rate: 40000 cps
block duration: 300 sec
------------------------------------------------------------------------------------------
icmpv6 RED enabled: no
------------------------------------------------------------------------------------------
session: enabled: yes
DP limit: 40000
------------------------------------------------------------------------------------------

 

show dos-protection rule TEST-DOS statistics

Rule: TEST-DOS, idx: 0, id: 4
Aggregate profile: TEST-DOS-AGG
Classified profile: TEST-DOS-CLA
Classification Criteria: source-only
Action: protect
Log Forwarding profile: Panorama


Aggregate profile: TEST-DOS-AGG
------------------------------------------------------------------------------------------
tcp-syn
current: 3, dropped: 0
------------------------------------------------------------------------------------------
udp
current: 0, dropped: 0
------------------------------------------------------------------------------------------
icmp
current: 0, dropped: 0
------------------------------------------------------------------------------------------
other-ip
current: 0, dropped: 0
------------------------------------------------------------------------------------------
icmpv6
current: 0, dropped: 0
------------------------------------------------------------------------------------------
sessions
current: 331, dropped: 0
------------------------------------------------------------------------------------------


Classified profile: TEST-DOS-CLA
------------------------------------------------------------------------------------------
tcp-syn
current: 0, dropped: 0
------------------------------------------------------------------------------------------
udp
current: 0, dropped: 0
------------------------------------------------------------------------------------------
icmp
current: 0, dropped: 0
------------------------------------------------------------------------------------------
other-ip
current: 0, dropped: 0
------------------------------------------------------------------------------------------
icmpv6
current: 0, dropped: 0
------------------------------------------------------------------------------------------
sessions
current: 331, dropped: 0
ip tracked: 470, ip blocked: 0
------------------------------------------------------------------------------------------

L4 Transporter

I was looking at wrong place. I was searching for server IP as destination in threat logs, but instead it shows up as TCP Flood with source and destination both as 0.0.0.0.

 

How would i tell from these logs, which one of our servers are being targeted.

Cyber Elite

@raji_toor,

By the name of the policy. The logs that get generated don't offer much additional information you could use to identify which servers are actively being targeted. 

L4 Transporter

@BPry Any thoughts on how would that be achieved.

Cyber Elite

@raji_toor,

If you go into the log details under 'General' you'll see the actual rule that was triggered. If you setup a forwarding for these logs to say your email, it will also include this information. 

L4 Transporter

@BPry Yes i get that the rule name will help in identifying what server is being targeted. But that also means i have to create a separate DOS rule for each of our servers.

Cyber Elite

@raji_toor,

Well...ya...but wouldn't you want to as no one service will baseline the same as another. For instance I break ours out to the service level and then set classified profiles to utilize source and destination IP. I don't necissarly care what individual server is being hit, I care that the service itself has bypassed norms. 

So for example I might have a DoS profile for any publically available service, so 'Mail' 'Docs' 'MapServices', 'WiseDecade' and the like would all get their own individual DoS policy. If you break it up on the service level you don't necissarly need to do one for each server, just each public service. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!