Configure DoS protection settings

You can configure three forms of protection that can help prevent Denial of Service (DoS) attacks: SYN flood protection and slow HTTP request protection against rate-based DoS attacks, and TCP reset protection against TCP reset attacks.

The following settings can be configured when the Rate-Based DoS Protection Mode is enabled:

  • SYN flood protection — In a SYN flood attack, an attacker sends many TCP SYN packets to a server without any intention of completing the TCP handshake. The SYN packets are often sent with forged source IP addresses. If the rate of unanswered SYN-ACK packets exceeds the threshold set in the DoS protection options, the SYN flood protection is activated, and log data is generated.

    SYN flood protection can also be activated by the detection of too many half-open TCP connections. An attacker can create a large number of half-open TCP connections to use up resources on the NGFW Engine. To guard against this, you can set a limit for the number of half-open TCP connections per destination IP address. When the limit is exceeded, the SYN flood protection is activated, and log data is generated.

    When the SYN flood protection is activated, the NGFW Engine acts as a SYN proxy. The NGFW Engine completes the TCP handshake with the client, and only initiates the connection with the server after the client has completed the TCP handshake.

  • Slow HTTP request protection — When the NGFW Engine receives an HTTP request, it analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If the sender of the request tries to keep the connection open for an unreasonable length of time, consuming excessive resources, the NGFW Engine blacklists the sender’s IP address for a specified length of time.

In addition, you can configure protection against DoS attacks that are based on TCP resets:

  • TCP reset protection — In a TCP reset attack, an attacker sends forged TCP segments with an RST flag in an attempt to make the NGFW Engine drop TCP connections. The NGFW Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP Reset attack. If the segment’s sequence number is in the current receive window but does not exactly match the expected sequence number, the NGFW Engine might send back a challenge ACK message. The connection is dropped only if the original sender responds to the challenge ACK with a new TCP reset that contains the correct sequence number.

You can enable all forms of DoS protection on all NGFW Engine and Virtual NGFW Engine types.

Note: If Rate-Based DoS Protection Mode is set to On or Off in the Engine Editor, you can override the setting in Access rules. If Rate-Based DoS Protection Mode is set to Disabled, you cannot enable rate-based DoS protection in an Access rule. You cannot override the TCP reset protection setting in Access rules.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an NGFW Engine, then select Edit <element type>.
  2. Browse to Advanced Settings > DoS Protection.
  3. Configure the settings.
  4. Click Save and Refresh to transfer the configuration changes.

Engine Editor > Advanced Settings > DoS Protection

Use this branch to configure protection that can help prevent Denial of Service (DoS) attacks.

Option Definition
Rate-Based DoS Protection Mode Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks.
  • Disabled — DoS protection is not enabled.
  • Off (Can Be Overridden in Policy) — DoS protection is not enabled, but you can override this setting in individual Access rules. This option is the default setting.
  • On (Can Be Overridden in Policy) — DoS protection is enabled. You can override this setting in individual Access rules.
SYN Flood Sensitivity When SYN flood protection is activated, the NGFW Engine acts as a SYN proxy. The engine completes the TCP handshake with the client, and only initiates the connection with the server after the client has completed the TCP handshake.
  • Off — SYN flood protection is not enabled.
  • Low — Allows the most SYN-ACK timeouts before the NGFW Engine requires a full TCP handshake with the client before it communicates with a server.
  • Medium — Allows a medium number of SYN-ACK timeouts before the NGFW Engine requires a full TCP handshake with the client before it communicates with a server. This option is the default setting.
  • High — Allows the fewest SYN-ACK timeouts before the NGFW Engine requires a full TCP handshake with the client before it communicates with a server.
Limit for Half-Open TCP Connections

(Optional)

 Set the maximum number of half-open TCP connections per destination IP address. The minimum is 125, the maximum is 100 000. When the limit is exceeded, the SYN flood protection is activated, and log data is generated.
Slow HTTP Request Sensitivity The NGFW Engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If the sender of the request tries to keep the connection open for an unreasonable length of time, the NGFW Engine blacklists the sender’s IP address for a specified length of time.
  • Off — Slow HTTP Request Protection is not enabled.
  • Low — Allows the slowest data transfer rate before the blacklist timeout is applied. This option is the default setting.
  • Medium — Allows a moderately slow data transfer rate before the blacklist timeout is applied.
  • High — Allows the least slow data transfer rate before the blacklist timeout is applied.
Slow HTTP Request Blacklist Timeout The length of time for blacklisting IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300).
TCP Reset Sensitivity When enabled, the NGFW Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP Reset attack. You cannot override this setting in individual Access rules
  • Off — TCP reset protection is not enabled. This option is the default setting.
  • Low — Allows the most TCP reset requests before the NGFW Engine considers itself to be under attack.
  • Medium — Allows a medium number of TCP reset requests before the NGFW Engine considers itself to be under attack.
  • High — Allows the fewest TCP reset requests before the NGFW Engine considers itself to be under attack.