• SonicOS 7.1 Action Objects
• About SonicOS
  • Working with SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions
  • Common Actions with Objects Table
  • Advanced Filter
• Match Objects
• Zones
  • How Zones Work
  • Default Zones
  • Security Types
  • Allow Interface Trust
  • Effect of Wireless Controller Modes
    • Effects of Enabling Non-Wireless Controller Mode
    • Effects of Enabling Wireless Controller Mode
  • Zones Overview
    • The Zones Page
      • Interpreting the Zones Table
    • Adding a New Zone
      • Adding a New Zone in Policy Mode
      • Adding a New Zone in Classic Mode
      • Configuring a Zone for Guest Access
      • Configuring a Zone for Open Authentication and Social Login
        • Configuring a Zone for Captive Portal Authentication with RADIUS
        • Configuring a Zone for Customized Policy Message
        • Configuring a Zone for Customized Login Page
      • Configuring the WLAN Zone
      • Configuring the RADIUS Server
      • Configuring DPI-SSL Granular Control per Zone
      • Enabling Automatic Redirection to the User-Policy Page
    • Cloning a Zone
    • Editing a Zone
    • Deleting Custom Zones
• Addresses
  • Addresses Page
    • Default Address Objects and Groups
      • Default Pref64 Address Object
      • Default Rogue Address Groups
    • Address Objects
      • Types of Address Objects
      • Adding Address Objects
      • Editing Address Objects
      • Deleting Custom Address Objects
      • Purging MAC or FQDN Address Objects
      • Resolving Address Objects
    • Address Groups
      • Adding Address Groups
      • Editing Address Groups
      • Deleting Custom Address Groups
      • Purging or Resolving All Address Groups
    • Cloning Address Objects or Groups
  • About UUIDs for Address Objects and Groups
  • Working with Dynamic Address Objects
    • Key Features of Dynamic Address Objects
    • Enforcing the Use of Sanctioned Servers on the Network
    • Using MAC and FQDN Dynamic Address Objects
      • Blocking All Protocol Access to a Domain using FQDN DAOs
      • Using an Internal DNS Server for FQDN-based Access Rules or Security Policies
      • Controlling a Dynamic Host’s Network Access by MAC Address
      • Bandwidth Managing Access to Entire Domain
• Services
  • Default Service Objects and Groups
  • Default IP Protocols for Custom Service Objects
  • Service Objects
    • Adding Service Objects using Default Protocols
    • Adding Service Objects using Custom Protocols
    • Editing Service Objects
    • Deleting Custom Service Objects
  • Service Groups
    • Adding Custom Service Groups
    • Editing Service Groups
    • Deleting Custom Service Groups
  • Adding Custom IP Protocol Services
    • Configuration Example
• URI Lists
  • About URIs and the URI List
  • About Keywords and the Keyword List
  • Matching URI List Objects
    • Normal Matching
    • Wildcard Matching
    • IPv6 Address Matching
    • IPv6 Wildcard Matching
  • Using URI List Objects
  • About URI List Groups
  • Managing URI List Objects
    • About the URI List Objects Table
    • Adding URI List Objects
      • Adding URIs
      • Importing URIs
      • Adding Keywords
      • Importing Keywords
    • Exporting URI List Objects
    • Editing URI List Objects
    • Deleting URI List Objects
  • Managing URI List Groups
    • About the URI List Groups Table
    • Adding URI List Groups
    • Editing a URI List Group
    • Deleting URI List Groups
  • Applying URI List Object or Group
• Schedules
  • Default Schedules
  • Adding Custom Schedules
  • Editing Schedules
  • Deleting Custom Schedules
  • Applying Schedules
• Dynamic Group
  • About Dynamic External Address Group File
  • DEAG and DEAO Maximums
  • High Availability Requirements
  • Adding Dynamic External Objects
  • Editing Dynamic External Objects
  • Deleting Dynamic External Objects
  • Applying Dynamic External Objects
• Email Addresses
  • Adding Email Address Objects
  • Editing Email Address Objects
  • Deleting Email Address Objects
  • Applying Email Addresses Objects
• Match Objects
  • Match Objects
    • Input representation
    • Supported Match Object Types
    • Regular Expressions
      • Regular Expression Syntax
    • Negative Matching
    • Adding Match Objects
    • Editing Match Objects
  • Application Objects
    • Adding Application Objects
    • Editing Application Objects
    • Adding Category Objects
    • Editing Category Objects
  • Deleting Match Objects or Application Objects
  • Applying Match Objects and Application Objects
• Countries
  • Country Objects
  • Country Groups
    • Adding Country Groups
    • Editing Country Groups
    • Deleting Custom Country Groups
  • Applying Country Groups
• Applications
  • Application Objects
  • Application Groups
    • Adding Application Groups
    • Editing Application Groups
    • Deleting Application Groups
  • Applying Application Groups
• Web Categories
  • Web Category Objects
  • Web Category Groups
    • Adding Web Category Groups
    • Editing Web Category Groups
    • Deleting Web Category Groups
  • Applying Web Category Groups
• Websites
  • Website Objects
    • Adding Website Objects
    • Editing Website Objects
  • Website Groups
    • Adding Website Groups
    • Editing Website Groups
  • Deleting Website Objects or Groups
  • Applying Website Groups
• Match Patterns
  • About Match Patterns
    • Regular Expressions
    • Negative Matching
  • Adding Match Patterns
  • Editing Match Patterns
  • Deleting Match Patterns
  • Applying Match Patterns
• Custom Match
  • Custom Match Objects
  • Custom Match Groups
  • Editing Custom Objects or Groups
  • Deleting Custom Objects or Groups
  • Applying Custom Match Groups
• Profile Objects
• Endpoint Security
  • Prerequisites
  • Adding Endpoint Security Profiles
  • Editing Endpoint Security Profiles
  • Deleting Endpoint Security Profiles
  • Applying Endpoint Security Profiles
• Bandwidth
  • Configuring Bandwidth Profile Objects
    • Defining Bandwidth Profile Object Settings
      • General Settings of Bandwidth Profile Object
      • Elemental Settings of Bandwidth Profile Object
    • Enabling BWM on an Interface
  • Editing Bandwidth Profile Objects
  • Deleting Bandwidth Profile Objects
  • Applying Bandwidth Profile Objects
• QoS Marking
  • Classification
  • Marking
  • Conditioning
    • Site to Site VPN over QoS Capable Networks
    • Site to Site VPN over Public Networks
  • 802.1p and DSCP QoS
    • 802.1p Marking
    • DSCP Marking
      • DSCP Marking and Mixed VPN Traffic
      • Configure for 802.1p CoS 4 – Controlled Load
  • Mapping of QoS Tags
  • Configuring QoS Marking
  • Applying QoS Marking
    • QoS Marking Actions
    • Bi-directional DSCP Tag Action
      • Remote Site 1: Sample Access Rule or Security Rule Configuration
      • Main Site: Sample Access Rule or Security Rule Configurations
• Content Filter
  • About CFS Profile Objects
    • About UUIDs for CFS Profile Objects
  • Adding CFS Profile Objects
    • Advanced Screen
    • Consent
    • Custom Header Screen
  • Editing CFS Profile Objects
  • Deleting CFS Profile Objects
  • Applying Content Filter Profile Objects
• DHCP Option
  • Prerequisites
  • Adding DHCP Option Objects
    • RFC-Defined DHCPV4 Option Numbers
    • RFC-Defined DHCPV6 Option Numbers
  • Editing DHCP Option Objects
  • Deleting DHCP Option Objects
  • Applying DHCP Option Objects
• DNS Filtering
  • Prerequisites
  • Adding DNS Filtering Profile Objects
  • Editing DNS Filtering Profile Objects
  • Deleting DNS Filtering Profile Objects
  • Applying DNS Filtering Profile Objects
• Block Page
  • Adding Custom Block Pages
  • Cloning Block Page
  • Editing Block Pages
  • Deleting Block Pages
  • Applying Block Pages
• Anti-Spyware
  • Viewing Anti-Spyware Objects
  • Enabling or Disabling Anti-Spyware Objects
  • Adding Anti-Spyware Profiles
  • Editing Anti-Spyware Profiles
  • Cloning Anti-Spyware Profiles
  • Deleting Anti-Spyware Profiles
  • Applying Anti-Spyware Profiles
• Gateway Anti-Virus
  • Viewing Gateway Anti-Virus Objects
  • Enabling or Disabling Gateway Anti-Virus Objects
  • Adding Gateway Anti-Virus Profiles
  • Cloning Gateway Anti-Virus Profiles
  • Editing Gateway Anti-Virus Profiles
  • Deleting Gateway Anti-Virus Profiles
  • Applying Gateway Anti-Virus Profiles
• Log and Alerts
  • Adding Log and Alerts Profiles
  • Editing Log and Alert Profiles
  • Deleting Log and Alert Profiles
  • Applying Log Alerts Profiles
• Intrusion Prevention
  • Viewing Intrusion Prevention Objects
  • Enabling or Disabling Intrusion Prevention Objects
  • Adding Intrusion Prevention Profiles
  • Editing Intrusion Prevention Profiles
  • Cloning Intrusion Prevention Profiles
  • Deleting Intrusion Prevention Profiles
  • Applying Intrusion Prevention Profiles
• AWS
  • AWS Objects
    • About Address Object Mapping with AWS
      • Tagging an EC2 Instance on AWS
    • Viewing Instance Properties in SonicOS
    • Creating a New Address Object Mapping
    • Enable Mapping
    • Configuring Synchronization
    • Configuring Regions to Monitor
    • Verifying AWS Address Objects and Groups
• Action Profiles
• Security Action Profile
  • Security Actions
  • Adding Security Action Profiles
    • Bandwidth/QoS
      • Bandwidth
      • Configuring a Bandwidth/QoS Security Action Profile
    • Anti-Virus
    • Intrusion Prevention
    • Anti-Spyware
    • Botnet Filter
    • Content Filter
      • General
      • Passphrase
      • Confirm
      • Consent
      • Custom Header
    • Block Page and Logging
    • Miscellaneous
  • Editing Security Action Profiles
  • Cloning Security Action Profiles
  • Deleting Security Action Profiles
  • Applying Security Action Profiles
• DoS Action Profile
  • DoS Actions
  • Adding DoS Action Profiles
    • Flood Protection
      • Layer 3 SYN Flood Protection - SYN Proxy
      • Layer 2 SYN/RST/FIN Flood Protection
      • UDP Flood Protection
      • ICMP Flood Protection
    • DDoS Protection
    • Attack Protection
    • Connection Limiting
  • Editing DoS Action Profiles
  • Cloning DoS Action Profiles
  • Deleting DoS Action Profiles
  • Applying DoS Action Profiles
• Action Objects
• App Rule Actions
  • Action Objects
    • Default Action Objects
    • Action Types for Custom Action Objects
  • Actions Using Bandwidth Management
    • Bandwidth Management Methods
    • Viewing Bandwidth Management Information on App Rule Actions
  • Adding Action Objects
    • Configuring Bandwidth App Rule Action Objects
  • Editing Action Objects
  • Deleting Action Objects
  • Applying App Rule Actions
    • Related Tasks for Actions Using Packet Monitoring
      • Capturing Packets Related to a Policy
      • Configuring Mirroring
• Content Filter Actions
  • Content Filter Objects
    • CFS Action Objects
    • About Passphrase Feature
    • About Confirm Feature
    • UUIDs for CFS Objects
  • Managing CFS Action Objects
    • About the CFS Action Objects Table
    • Adding CFS Action Objects
      • Block
      • Passphrase
      • Confirm
      • BWM
    • Editing CFS Action Objects
    • Deleting CFS Action Objects
  • Applying Content Filter Objects
• Object viewer
• SonicWall Support
  • About This Document

DDoS Protection

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target.

To configure the DDoS Protection of the DoS Action Profile

1. Navigate to OBJECT | Action Profiles > DoS Action Profile.

2. Do one of the following:

   • Add a new DoS Action Profile.

     1. Click the Add icon.
     2. Enter a friendly DoS Rule Action Name.

   • Edit an existing DoS Action Profile.

     Hover over an existing DoS Action Profile and click the Edit icon.

3. Click the DDoS Protection tab.

   

4. Click Enable DDoS protection.

5. Make the necessary changes to the DDoS Protection default settings.

   Make sure that Enable DDoS protection option is selected to make changes to default settings.

   Threshold for WAN DDoS protection (Non-TCP packets / Sec)	To set the threshold value of non-TCP packets allowed per second to be sent to a host, range, or subnet. Exceeding this threshold triggers WAN DDoS flood protection. The minimum number is 0, the maximum number is 10000000, and the default number is 1000. This option is applicable when Enable DDOS protection is selected.
   WAN DDoS Filter Bypass Rate (every n packets)	The default value of the WAN DDoS Filter Bypass Rate is 0. This default rate prevents all packets passing through, unless the device from which they originate is on the Allow List. This can be an appropriate choice in some deployments. When you configure this rate to a non-zero number, some non-TCP packets that would normally be dropped by WAN DDoS Protection are passed to the LAN/DMZ network. A non-zero bypass rate allows the risk of a potential attack to be reduced, but not completely blocked. Allowing some packets to pass through (such as every 3rd packet), even though their sources are not on the Allow List, can provide a mechanism by which legitimate WAN-side hosts can get a packet through to the LAN/DMZ side, in spite of the high alert status of the appliance. You must determine the appropriate value to set, depending on the capabilities of the potential LAN-side target machines and the nature of the legitimate non-TCP traffic patterns in the network. This option is applicable when Enable DDOS protection is selected.
   WAN DDoS Allow List Timeout - seconds	To set expire timeout for devices added in the allow list. If a non-zero Allow List Timeout is defined by the user, entries in the Allow List expire in the configured time. If the Allow List Timeout is zero, they never expire. In either case, the least-recently-used entry in a particular group can be replaced by a new entry, if no unused entry is available in the list.
   Enable WAN DDoS Protection on WAN interfaces	To provide protection against non-TCP DDoS attacks. Use this option in combination with SYN-Flood Protection if TCP SYN-flood attacks are a concern. This option is not intended to protect a well-known server of non-TCP services on the Internet (such as a central DNS server), but is intended to protect LAN and DMZ networks for which the majority of non-TCP traffic is initiated from the LAN/DMZ side, possibly in combination with limited WAN-initiated traffic. When WAN DDoS Protection is enabled, it tracks the rate of non-TCP packets arriving on WAN interfaces. When the rate of non-TCP packets exceeds the specified threshold, non-TCP packets arriving on WAN interfaces will be filtered. A non-TCP packet is only forwarded when at least one of the following conditions is met: The source IP address is on the Allow list The packet is SonicWall management traffic and Always allow SonicWall management traffic is selected The packet is an ESP packet and matches the SPI of a tunnel terminating on the network security appliance The packet is the nth packet matching the value specified for WAN DDoS Filter Bypass Rate (every n packets) If none of the above conditions are met, the packet is dropped early in packet processing.
   Always allow SonicWall management traffic	To allow the traffic that is needed to manage your SonicWall appliances to pass through your WAN gateways, even when the appliance is under a non-TCP DDoS attack.

6. Click Save.
7. Click Cancel to go back to the DoS Action Profile page or proceed with other configurations.