SonicOS 7.0 Objects

DDoS Protection

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target.

To configure the DDoS Protection of the DoS Action Profile

  1. Navigate to OBJECT | Action Profiles > DoS Action Profile.
  2. Do one of the following:

    • Add a new DoS Action Profile.

      1. Click the Add icon.
      2. Enter a friendly DoS Rule Action Name.
    • Edit an existing DoS Action Profile.

      Hover over an existing DoS Action Profile and click the Edit icon.

  3. Click the DDoS Protection tab.

  4. Click Enable DDoS protection.
  5. Make the necessary changes to the DDoS Protection default settings.

    Threshold for WAN DDoS protection (Non-TCP packets / Sec)

    To set the threshold value of non-TCP packets allowed per second to be sent to a host, range, or subnet. Exceeding this threshold triggers WAN DDoS flood protection.

    The minimum number is 0, the maximum number is 10000000, and the default number is 1000.

    This option is applicable when Enable DDOS protection is selected.

    WAN DDoS Filter Bypass Rate (every n packets)

    To set the WAN DDoS filter bypass rate.

    The default value of the WAN DDoS Filter Bypass Rate is 0. This default rate prevents all packets passing through, unless the device from which they originate is on the Allow List. This can be an appropriate choice in some deployments.

    When you configure this rate to a non-zero number, some non-TCP packets that would normally be dropped by WAN DDoS Protection are passed to the LAN/DMZ network. A non-zero bypass rate allows the risk of a potential attack to be reduced, but not completely blocked. Allowing some packets to pass through (such as every 3rd packet), even though their sources are not on the Allow List, can provide a mechanism by which legitimate WAN-side hosts can get a packet through to the LAN/DMZ side, in spite of the high alert status of the appliance.

    You must determine the appropriate value to set, depending on the capabilities of the potential LAN-side target machines and the nature of the legitimate non-TCP traffic patterns in the network.

    This option is applicable when Enable DDOS protection is selected.

    WAN DDoS Allow List Timeout - seconds

    To set expire timeout for devices added in the allow list.

    If a non-zero Allow List Timeout is defined by the user, entries in the Allow List expire in the configured time. If the Allow List Timeout is zero, they never expire. In either case, the least-recently-used entry in a particular group can be replaced by a new entry, if no unused entry is available in the list.

    Enable WAN DDoS Protection on WAN interfaces

    To provide protection against non-TCP DDoS attacks.

    Use this option in combination with SYN-Flood Protection if TCP SYN-flood attacks are a concern.

    This option is not intended to protect a well-known server of non-TCP services on the Internet (such as a central DNS server), but is intended to protect LAN and DMZ networks for which the majority of non-TCP traffic is initiated from the LAN/DMZ side, possibly in combination with limited WAN-initiated traffic.

    When WAN DDoS Protection is enabled, it tracks the rate of non-TCP packets arriving on WAN interfaces. When the rate of non-TCP packets exceeds the specified threshold, non-TCP packets arriving on WAN interfaces will be filtered.

    A non-TCP packet is only forwarded when at least one of the following conditions is met:

    • The source IP address is on the Allow list
    • The packet is SonicWall management traffic and Always allow SonicWall management traffic is selected
    • The packet is an ESP packet and matches the SPI of a tunnel terminating on the network security appliance
    • The packet is the nth packet matching the value specified for WAN DDoS Filter Bypass Rate (every n packets)

    If none of the above conditions are met, the packet is dropped early in packet processing.

    Always allow SonicWall management traffic

    To allow the traffic that is needed to manage your SonicWall appliances to pass through your WAN gateways, even when the appliance is under a non-TCP DDoS attack.

  6. Click Save.
  7. Click Cancel to go back to the DoS Action Profile page or proceed with other configurations.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden