DoS Protection Against Flooding of New Sessions
Learn about how to use DoS protection against flooding
of new sessions to detect and prevent high-volume single-session
and multiple-session attacks.
DoS protection against flooding of new sessions is beneficial
against high-volume single-session and multiple-session attacks.
In a single-session attack, an attacker uses a single session to
target a device behind the firewall. If a Security rule allows the
traffic, the session is established and the attacker initiates an
attack by sending packets at a very high rate with the same source
IP address and port number, destination IP address and port number,
and protocol, trying to overwhelm the target. In a multiple-session
attack, an attacker uses multiple sessions (or connections per second
[cps]) from a single host to launch a DoS attack.
This feature defends against DoS attacks of new sessions
only, that is, traffic that has not been offloaded to hardware.
An offloaded attack is not protected by this feature. However, this
topic describes how you can create a Security policy rule to reset
the client; the attacker reinitiates the attack with numerous connections
per second and is blocked by the defenses illustrated in this topic.
DoS Protection Profiles and Policy Rules work together
to provide protection against flooding of many incoming SYN, UDP,
ICMP, and ICMPv6 packets, and other types of IP packets. You determine
what thresholds constitute flooding. In general, the DoS Protection
profile sets the thresholds at which the firewall generates a DoS
alarm, takes action such as Random Early Drop, and drops additional
incoming connections. A DoS Protection policy rule configured to protect
(rather than to allow or deny packets) determines the criteria for
packets to match (such as source address) in order to be counted
toward the thresholds. This flexibility allows you to block certain
traffic, or allow certain traffic and treat other traffic as DoS
traffic. When the incoming rate exceeds your maximum threshold,
the firewall blocks incoming traffic from the source address.