DDoS Profiles

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DDoS Profiles

L3 Networker

How does one go about getting the realistic values for your environment to plug into the DDoS profile or even the zone protection profile? How do you see how many SYNs you are getting per second/min etc?

2 REPLIES 2

Cyber Elite
Cyber Elite

Hello,

 

Are you referring to the DoS protection profiles or the Zone Protection settings? For the zone protection piece you could use AI-OPs and it will provide recommendations based on traffic. If you dont have AI-OPs, for both options would recommend setting the alarm value to a somewhat low value and see what triggers the alert and move it up from there. 

 

Here is a snippet from the Palo doc: 

 

 

If you know the baseline CPS rates for the zone, use these guidelines to set the initial thresholds, and then monitor and adjust the thresholds as necessary.

 

  • Alarm Rate
    —The new CPS threshold to trigger an alarm. Target setting the Alarm Rate to 15-20% above the average CPS rate for the zone so that normal fluctuations don’t cause alerts.
  • Activate
    —The new CPS threshold to activate the flood protection mechanism and begin dropping new connections. For ICMP, ICMPv6, UDP, and other IP floods, the protection mechanism is Random Early Drop (RED, also known as Random Early Detection). For SYN floods only, you can set the drop Action to SYN Cookies or RED. Target setting the 
    Activate rate to just above the peak CPS rate for the zone to begin mitigating potential floods.
  • Maximum
    —The number of connections-per-second to drop incoming packets when RED is the protection mechanism. Target setting the Maximum rate to approximately 80-90% of firewall capacity, taking into account other features that consume firewall resources.

If you don’t know the baseline CPS rates for the zone, start by setting the Maximum CPS rate to approximately 80-90% of firewall capacity and use it to derive reasonable flood mitigation alarm and activation rates. Set the Alarm Rate and Activate rate based on the Maximum rate. For example, you could set the Alarm Rate to half the Maximum rate and adjust it depending on how many alarms you receive and the firewall resources being consumed. Be careful setting the Activate Rate since it begins to drop connections. Because normal traffic loads experience some fluctuation, it’s best not to drop connections too aggressively. Err on the high side and adjust the rate if firewall resources are impacted.
 

Do you need the full version of AI-OPs to achieve this?

  • 702 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!