Will DoS Protection Block IP or Block Service of IP when Max Rate Threshold is Exceeded?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Will DoS Protection Block IP or Block Service of IP when Max Rate Threshold is Exceeded?

L0 Member

For the following scenario, will DoS block destination IP or block service of the destination IP? 

 

If a DoS protection policy include destination IP and Services to protect an internet facing server, for example source any destination 1.1.1.1 service UDP port 80, then action protection, address destination-ip-only and a DoS security profile which will only check UDP Flood CPS. When there is a DoS attack to UDP port 80, and DoS protection kicked in and max rate is exceeded, will only all UDP port 80 traffic to 1.1.1.1 be dropped or all traffic to destination 1.1.1.1 dropped by DoS protection? I am hoping the former will be true, since the later one basically completes the goal of bringing the target IP 1.1.1.1 offline. 

 

Is DoS protection use block-table only to check the future drop or combination of session table and block-table?  

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection/zone-de...

 

In addition to protecting service ports in use on critical servers, you can also protect against DoS attacks on the unused service ports of critical servers. For critical systems, you can do this by creating one DoS Protection policy rule and profile to protect ports with services running, and a different DoS Protection policy rule and profile to protect ports with no services running. For example, you can protect a web server’s normal service ports, such as 80 and 443, with one policy/profile, and protect all of the other service ports with the other policy/profile. Be aware of the firewall’s capacity so that servicing the DoS counters doesn’t impact performance.

 

Thanks,

 

Shiling

 

 

1 REPLY 1

L0 Member

To add a little background, I got around 800Kpps UDP port 80 DDoS which overrun on-chip buffer descriptor and packet buffer resulted in good traffic drops.  The target server is a web server, and security policy is permitting tcp port 80 and 443. 

 

I am trying to see how can I use DoS to protect port without service running. Ultimately, I am thinking how can I utilize DoS to drop flow_policy_deny traffic in fastpath or offload path as describe in the KB blow:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBjNCAW&lang=en_US%E2%80%A...

HIGH ON-CHIP DESCRIPTOR AND PACKET BUFFER USAGE DUE TO POLICY DENY RESULTING IN TRAFFIC LATENCY AND DROPS

 

  • 1843 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!