WAN DDOS Protection (Non-TCP Floods)

This tab is available only in Policy mode under Network > Firewall > Flood Protection > TCP > WAN DDOS Protection (Non-TCP Floods).

WAN DDOS Protection provides protection against non-TCP DDOS attacks and so should be used in combination with SYN-Flood Protection if TCP SYN-flood attacks are a concern. This feature is not intended to protect a well-known server of non-TCP services on the internet (such as a central DNS server), but is intended to protect LAN and DMZ networks for which the majority of non-TCP traffic is initiated from the LAN/DMZ side, possibly in combination with limited WAN-initiated traffic.

You can configure the WAN DDOS Protection (Non-TCP Floods) settings on the Network > Firewall > Flood Protection > TCP > WAN DDOS Protection (Non-TCP Floods) tab.

• Enable WAN DDOS Protection on WAN interfaces - provides protection against non-TCP DDOS attacks, and so should be used in combination with SYN-Flood Protection if TCP SYN-flood attacks are a concern. This feature is not intended to protect a well-known server of non-TCP services on the Internet (such as a central DNS server), but is intended to protect LAN and DMZ networks for which the majority of non-TCP traffic is initiated from the LAN/DMZ side, possibly in combination with limited WAN-initiated traffic.

  Enabling WAN DDOS Protection on WAN interfacesoption enables the rest of the options in this section.

  When WAN DDOS Protection is enabled, it tracks the rate of non-TCP packets arriving on WAN interfaces. When the rate of non-TCP packets exceeds the specified threshold, non-TCP packets arriving on WAN interfaces will be filtered. A non-TCP packet will only be forwarded when at least one of the following conditions is met:

  • Source IP address is on the Allow list
  • Packet is SonicWall management traffic, and Always allow SonicWall management traffic is selected
  • Packet is VPN Negotiation traffic (IKE) and Always allow VPN negotiation traffic is selected
  • the packet is an ESP packet and matches the SPI of a tunnel terminating on the network security appliance

  • the packet is the nth packet matching the value specified for WAN DDOS Filter Bypass Rate (every n packets)

  If none of these conditions are met, the packet is dropped early in packet processing.

• Always allow SonicWall management traffic - This field is available when Enable DDOS protection on WAN interfaces is selected. Select this field so that traffic needed to manage your SonicWall appliances is allowed to pass through your WAN gateways, even when the appliance is under a non-TCP DDOS attack. This option is disabled by default.
• Always allow VPN negotiation traffic - This field is available when Enable DDOS protection on WAN interfaces is selected. Select this field so that all VPN negotiation packets are allowed to pass through, even though other traffic is blocked.
• Threshold for WAN DDOS protection - The option to set this threshold is available when Enable DDOS protection on WAN interfaces is selected. It specifies the maximum number of non-TCP packets allowed per second to be sent to a host, range, or subnet. Exceeding this threshold triggers WAN DDOS flood protection. The default number of non-TCP packets is 1000. The minimum number is 0, and the maximum number is 10,000,000.

• WAN DOOS Filter Bypass Rate - This option can be set when Enable DDOS protection on WAN interfaces is selected. The default value of the WAN DDOS Filter Bypass Rate is 0. This default rate prevents all packets passing through unless the device from which they originate is on the Allow List. This can be an appropriate choice for some deployments.

  When the user configures this rate to a non-0 number, some non-TCP packet that would normally be dropped by WAN DDOS Protection are instead passed to the LAN/DMZ network. A non-0 bypass rate allows the risk of a potential attack to be reduced, but not completely blocked. Allowing some packets to pass through (such as every 3rd packet), even though their sources are not on the Allow List, can provide a mechanism by which legitimate WAN-side hosts can get a packet through to the LAN/DMZ side, in spite of the high alert status of the appliance.

  The user must determine the appropriate value to set, depending on the capabilities of the potential LAN-side target machines and the nature of the legitimate non-TCP traffic patterns in the network.

• WAN DDOS Allow List Timeout - This field is available when Enable DDOS protection on WAN interfaces is selected. If a non-zero Allow List Timeout is defined by the user, entries in the Allow List expire in the configured time. If the Allow List Timeout is zero, they never expire. In either case, the least-recently-used entry in a particular group can be replaced by a new entry, if no unused entry is available in the list.
• Click Accept

Using Geo-IP filtering you can block connections coming to or from a geographic location. Refer to the Using geo-ip filtering article for configuring Geo-IP filtering option using SonicOS 7.x.