Configure DoS protection settings
You can configure three forms of protection that can help prevent Denial of Service (DoS) attacks: SYN flood protection and slow HTTP request protection against rate-based DoS attacks, and TCP reset protection against TCP reset attacks.
The following settings can be configured when the Rate-Based DoS Protection Mode is enabled:
-
SYN flood protection — In a SYN flood attack, an attacker sends many TCP SYN packets to a server without any intention of completing the TCP handshake. The SYN packets are often sent with forged source IP addresses. If the rate of unanswered SYN-ACK packets exceeds the threshold set in the DoS protection options, the SYN flood protection is activated, and log data is generated.
SYN flood protection can also be activated by the detection of too many half-open TCP connections. An attacker can create a large number of half-open TCP connections to use up resources on the NGFW Engine. To guard against this, you can set a limit for the number of half-open TCP connections per destination IP address. When the limit is exceeded, the SYN flood protection is activated, and log data is generated.
When the SYN flood protection is activated, the NGFW Engine acts as a SYN proxy. The NGFW Engine completes the TCP handshake with the client, and only initiates the connection with the server after the client has completed the TCP handshake.
- Slow HTTP request protection — When the NGFW Engine receives an HTTP request, it analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If the sender of the request tries to keep the connection open for an unreasonable length of time, consuming excessive resources, the NGFW Engine blacklists the sender’s IP address for a specified length of time.
In addition, you can configure protection against DoS attacks that are based on TCP resets:
- TCP reset protection — In a TCP reset attack, an attacker sends forged TCP segments with an RST flag in an attempt to make the NGFW Engine drop TCP connections. The NGFW Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP Reset attack. If the segment’s sequence number is in the current receive window but does not exactly match the expected sequence number, the NGFW Engine might send back a challenge ACK message. The connection is dropped only if the original sender responds to the challenge ACK with a new TCP reset that contains the correct sequence number.
You can enable all forms of DoS protection on all NGFW Engine and Virtual NGFW Engine types.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Right-click an NGFW Engine, then select Edit <element type>.
- Browse to .
- Configure the settings.
- Click Save and Refresh to transfer the configuration changes.
Engine Editor > Advanced Settings > DoS Protection
Use this branch to configure protection that can help prevent Denial of Service (DoS) attacks.
Option | Definition |
---|---|
Rate-Based DoS Protection Mode | Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks.
|
SYN Flood Sensitivity | When SYN flood protection is activated, the NGFW Engine acts as a SYN proxy. The engine completes the TCP handshake with the
client, and only initiates the connection with the server after the client has completed the TCP handshake.
|
Limit for Half-Open TCP Connections (Optional) |
Set the maximum number of half-open TCP connections per destination IP address. The minimum is 125, the maximum is 100 000. When the limit is exceeded, the SYN flood protection is activated, and log data is generated. |
Slow HTTP Request Sensitivity | The NGFW Engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If
the sender of the request tries to keep the connection open for an unreasonable length of time, the NGFW Engine blacklists the
sender’s IP address for a specified length of time.
|
Slow HTTP Request Blacklist Timeout | The length of time for blacklisting IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300). |
TCP Reset Sensitivity | When enabled, the NGFW Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP
Reset attack. You cannot override this setting in individual Access rules
|