Is it possible to DDoS/DoS a public IP which has only outbound traffic and ipsec tunnel. No DNAT configured and ping disabled.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is it possible to DDoS/DoS a public IP which has only outbound traffic and ipsec tunnel. No DNAT configured and ping disabled.

L2 Linker
 
3 REPLIES 3

L1 Bithead

Rather not play with fire and enable DoS protection and Zone protection on all outside interfaces/zones.

L5 Sessionator

In theory this is still possible. Most DDoS attacks Palo sees now are reflection-based amplification attacks... UDP, not ICMP. (Which sounds like these are allowed in your network).  

 

Mirai botnet... reflected and amplified NTP on IoT devices with outbound rules. Is it harder with only outbound rules and hiding behind NAT? Yes. Impossible? No. Unless you know for certain all current inside devices are clean, and you know where they are 365 days a year, it's still possible. Slim, hence defense in depth, but possible.

 

Consider also DDoS lives on loads of NAS, routers, home security kits so in some cases reflection/amplification will still come down that IPSec tunnel depending on what terminates it.

 

+1 on the above for DoS/Zone protection profiles on zones. 

Help the community! Add tags and mark solutions please.

Cyber Elite
Cyber Elite

Hi @Kandarp_Desai ,

 

Traffic from the Internet to the public IP (same zone) is allowed by the default intrazone-default rule.  You could create an intrazone drop rule to block the traffic, and no DoS should be possible.  Remember to create an allow rule for your IPsec tunnel first.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 2632 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!