Skip to main content
hklb
hklb
Visitor III
July 7, 2015
Question

DoS policy - how to optimize rules ?

  • July 7, 2015
  • 1 reply
  • 5899 views

Hello,

 

I set up the DoS policy on our lab firewall. The configuration was very simple :

 
edit 2
 
set interface "port20"
 set srcaddr "all"
 set dstaddr "all"
 set service "ALL"
 
config anomaly
 
edit "tcp_syn_flood"
 set status enable
 set log enable
 set threshold 2000
 next
 edit "tcp_port_scan"
 set log enable
 set threshold 1000
 next
 edit "tcp_src_session"
 set status enable
 set log enable
 set threshold 5000
 next
 edit "tcp_dst_session"
 set status enable
 set log enable
 set threshold 5000
 next
 edit "udp_flood"
 set status enable
 set log enable
 set threshold 2000
 next
 edit "udp_scan"
 set status enable
 set log enable
 set threshold 2000
 next
 edit "udp_src_session"
 set status enable
 set log enable
 set threshold 5000
 next
 edit "udp_dst_session"
 set status enable
 set log enable
 set threshold 5000
 next
 
edit "icmp_flood"
 set status enable
 set log enable
 set action block
 set quarantine attacker
 set quarantine-log enable
 set threshold 250
 next
 edit "icmp_sweep"
 set status enable
 set log enable
 set action block
 set quarantine attacker
 set quarantine-log enable
 set threshold 100
 next
 
edit "icmp_src_session"
 set status enable
 set log enable
 set threshold 300
 next
 edit "icmp_dst_session"
 set status enable
 set log enable
 set threshold 1000
 next
 edit "ip_src_session"
 set status enable
 set log enable
 set threshold 5000
 next
 edit "ip_dst_session"
 set status enable
 set log enable
 set threshold 5000
 next
 edit "sctp_flood"
 set log enable
 set threshold 2000
 next
 edit "sctp_scan"
 set log enable
 set threshold 1000
 next
 edit "sctp_src_session"
 set log enable
 set threshold 5000
 next
 edit "sctp_dst_session"
 set log enable
 set threshold 5000
 next
 end
 
 
How can I see the average sessions/sec ? How can I optimize these settings according my environnement ?
 
I only found one diagnose debug command for this feature.. diag ips anomaly list.. But it show only the current state..
 
Thanks
 
Lucas
    1 reply
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 7, 2015
    hi hklb,
     
    well you have the 'current sessions' widget, and in the CLI "get sys perf stat" which shows the session setup rate over the last seconds and minutes. Not for longtime monitoring though.
    Setting these thresholds is tricky. Imagine a browsing session: one page could easily lead to 100 sessions over a period of several seconds. With 2000 sessions per second we are talking about very high usage, and I dare say that with this value you are safe on the 'abuse' side. It mostly depends on your users' usage patterns.
     
    Besides, I would not activate so many threshold sensors - at all, and - during regular usage. It all costs performance (as counters have to be watched). Of course, enabling a DoS policy after the fact will not gain you any laurels...you'll need to find a balance for this.
    
        
                                                
    
        
    
    
    

            
    
                                        
    
            
                        
    
                                                                                                            
            
    

    

    

        
    
                    
    
    
    
    

    

    
    
    

                                        
    
                                                        
    
            
        
    
    

    

    

                                    
    Terms & ConditionsAccessibility statement