SonicOSX 7 Action Profiles

Download PDF
Technical Documentation > SonicOSX 7 Action Profiles > DoS Action Profile > Adding DoS Action Profiles

Adding DoS Action Profiles

SonicOSX defends against UDP/ICMP flood attacks by monitoring IPv6 UDP/ICMP traffic flows to defined destinations. UDP/ICMP packets to a specified destination are dropped if one or more sources exceeds a configured threshold.

Flood Protection

The OBJECT | Action Profiles > DoS Action Profile | Flood Protection tab allows you to:

  • Manage:
    • TCP (Transmission Control Protocol) traffic settings such as Layer 2/Layer3 flood protection, WAN DDOS protection
    • UDP (User Datagram Protocol) flood protection
    • ICMP (Internet Control Message Protocol) or ICMPv6 flood protection.
  • View statistics through the security appliance:
    • TCP traffic
    • UDP traffic
    • ICMP or ICMPv6 traffic

To configure the Flood Protection DoS Rule Action

  1. Navigate to OBJECT | Action Profiles > DoS Action Profile.
  2. Click +Add or click the Edit icon from the Configure column.

  3. The Add DoS Action Profile page open on the Flood Protection tab.

  4. Enter a friendly DoS Rule Action Name.

Layer 3 SYN Flood Protection- SYN Proxy

To configure Layer 3 SYN Flood Protection features

  1. Click Enable Syn Flood Protection.

  2. In the SYN Flood Protection Mode drop‐down menu, select a protection mode.

    • Watch and Report Possible SYN Floods – The device monitors SYN traffic on all interfaces and logs suspected SYN flood activity that exceeds a packet-count threshold. This option does not actually turn on the SYN Proxy on the device, so the device forwards the TCP three‐way handshake without modification.

    This is the least invasive level of SYN Flood protection. Select this option if your network is not in a high‐risk environment.

    When this protection mode is selected, the SYN-Proxy options are not available.

    • Proxy WAN Client Connections When Attack is Suspected – The device enables the SYN Proxy feature on WAN interfaces when the number of incomplete connection attempts per second exceeds a specified threshold. This method ensures that the device continues to process valid traffic during the attack, and that performance does not degrade. Proxy mode remains enabled until all WAN SYN flood attacks stop occurring, or until the device blacklists all of them using the SYN Blacklisting feature.

    This is the intermediate level of SYN Flood protection. Select this option if your network sometimes experiences SYN Flood attacks from internal or external sources.

    • Always Proxy WAN Client Connections – This option sets the device to always use SYN Proxy. This method blocks all spoofed SYN packets from passing through the device. This is an extreme security measure, which directs the device to respond to port scans on all TCP ports. The SYN Proxy feature forces the device to respond to all TCP SYN connection attempts, which can degrade performance and generate false positive results. Select this option only if your network is in a high‐risk environment.

  3. For SYN Proxy Options, if one of the higher levels of SYN Protection is selected, SYN‐Proxy options can be selected to provide more control over what is sent to WAN clients when in SYN Proxy mode. When the device applies a SYN Proxy to a TCP connection, it responds to the initial SYN packet with a manufactured SYN/ACK reply, waiting for the ACK in response before forwarding the connection request to the server. Devices attacking with SYN Flood packets do not respond to the SYN/ACK reply. The firewall identifies them by their lack of this type of response and blocks their spoofed connection attempts. SYN Proxy forces the firewall to manufacture a SYN/ACK response without knowing how the server responds to the TCP options normally provided on SYN/ACK packets.

    The options in this section are not available if Watch and report possible SYN floods option is selected for SYN Flood Protection Mode.

    • All LAN/DMZ servers support the TCP SACK option – Selecting this option enables SACK (Selective Acknowledgment), so that when a packet is dropped, the receiving device indicates which packets it received. This option is not enabled by default. Enable this checkbox only when you know that all servers covered by the firewall that are accessed from the WAN support the SACK option.
    • Limit MSS sent to WAN clients (when connections are proxied) – When you choose this option, you can enter the maximum MSS (Minimum Segment Size) value. This sets the threshold for the size of TCP segments, preventing a segment that is too large from being sent to the targeted server. For example, if the server is an IPsec gateway, it might need to limit the MSS it receives to provide space for IPsec headers when tunneling traffic. The firewall cannot predict the MSS value sent to the server when it responds to the SYN manufactured packet during the proxy sequence. Being able to control the size of a segment makes it possible to control the manufactured MSS value sent to WAN clients. This option is not selected by default.

    If you specify an override value for the default of 1460, only a segment that size or smaller is sent to the client in the SYN/ACK cookie. Setting this value too low can decrease performance when the SYN Proxy is always enabled. Setting this value too high can break connections if the server responds with a smaller MSS value.

    • Maximum TCP MSS sent to WAN clients – This is the value of the MSS. The default is 1460, the minimum value is 32, and the maximum is 1460.

    When using Proxy WAN client connections, remember to set these options conservatively as they only affect connections when a SYN Flood takes place. This ensures that legitimate connections can continue during an attack.

    • Always log SYN packets received – Select this option to log all SYN packets received. This option is only available with higher levels of SYN protection.

Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting

The SYN/RST/FIN Blacklisting feature lists devices that exceeded the SYN, RST, and FIN Blacklist attack threshold. The firewall device drops packets sent from blacklisted devices early in the packet evaluation process, enabling the firewall to handle greater amounts of these packets, providing a defense against attacks originating on local networks while also providing second-tier protection for WAN networks.

Devices cannot occur on the SYN/RST/FIN Blacklist and watchlist simultaneously. With blacklisting enabled, the firewall removes devices exceeding the blacklist threshold from the watchlist and places them on the blacklist. Conversely, when the firewall removes a device from the blacklist, it places it back on the watchlist. Any device whose MAC address has been placed on the blacklist will be removed from it approximately three seconds after the flood emanating from that device has ended.

  • Enable SYN/RST/FIN/TCP flood blacklisting on all interfaces – Enables the blacklisting feature on all interfaces on the firewall. This option is not selected by default. When it is selected, the following options become available.
  • Never blacklist WAN machines – Ensures that systems on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it cleared may interrupt traffic to and from the firewall's WAN ports. This option is not selected by default.
  • Always allow SonicWall management traffic – Causes IP traffic from a blacklisted device targeting the firewall's WAN IP addresses to not be filtered. This allows management traffic and routing protocols to maintain connectivity through a blacklisted device. This option is not selected by default.
  • Threshold for SYN/RST/FIN flood blacklisting – Specifies the maximum number of SYN, RST, FIN, and TCP packets allowed per second. The minimum is 10, the maximum is 800000, and default is 1,000. This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network.

Enable UDP Flood Protection

UDP Flood Attacks are a type of denial-of-service (DoS) attack. They are initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the victimized system's resources are consumed with handling the attacking packets, which eventually causes the system to be unreachable by other clients.

SonicWall UDP Flood Protection defends against these attacks by using a "watch and block" method. The appliance monitors UDP traffic to a specified destination. If the rate of UDP packets per second exceeds the allowed threshold for a specified duration of time, the appliance drops subsequent UDP packets to protect against a flood attack.

UDP packets that are DNS query or responses to or from a DNS server configured by the appliance are allowed to pass, regardless of the state of UDP Flood Protection.

The following settings configure UDP Flood Protection

  1. Enable UDP Flood Protection – Enables UDP Flood Protection. This option is not selected by default. Enable UDP Flood Protection must be enabled to activate the other UDP Flood Protection options.
  2. UDP Flood Attack Threshold – The maximum number of UDP packets allowed per second to be sent to a host, range, or subnet that triggers UDP Flood Protection. Exceeding this threshold triggers ICMP Flood Protection. The minimum value is 50, the maximum value is 1000000, and the default value is 1000.
  3. UDP Flood Attack Blocking Time – After the appliance detects the rate of UDP packets exceeding the attack threshold for this duration of time, UDP Flood Protection is activated and the appliance begins dropping subsequent UDP packets. The minimum time is 1 second, the maximum time is 120 seconds, and the default time is 2 seconds.
  4. Click Save.

Enable ICMP Flood Protection

ICMP Flood Protection functions identically to UDP Flood Protection, except it monitors for ICMPv4/ICMPv6 Flood Attacks. The only difference is that DNS queries are not allowed to bypass ICMP Flood Protection.

To configure ICMP Flood Protection

  1. Enable ICMP Flood Protection – Enables ICMP Flood Protection. Enable ICMP Flood Protection must be enabled to activate the other ICMP Flood Protection options.
  2. ICMP Flood Attack Threshold – The maximum number of ICMP packets allowed per second to be sent to a host, range, or subnet. Exceeding this threshold triggers ICMP Flood Protection. The minimum number is 10, the maximum number is 100000, and the default number is 1000.
  3. ICMP Flood Attack Blocking Time – After the appliance detects the rate of ICMP packets exceeding the attack threshold for this duration of time, ICMP Flood Protection is activated, and the appliance begins dropping subsequent ICMP packets. The minimum time is 1 second, the maximum time is 120 seconds, and the default time is 2 seconds.
  4. Click Save.

DDoS Protection

To configure the DDos Protection portion of the Add DoS Rule Action

  1. Navigate to OBJECT | Action Profiles > DoS Action Profile.
  2. Click +Add or click the Edit icon from the Configure column.

  3. The Add DoS Action Profile page opens, click the DDoS Protection tab.

  4. Enter a friendly DoS Rule Action Name.
  5. Click Enable DDoS protection.
  • Threshold for WAN DDOS protection - Non-TCP packets/Second - The option to set this threshold is available when Enable DDOS protection on WAN interfaces is selected. It specifies the maximum number of non-TCP packets allowed per second to be sent to a host, range, or subnet. Exceeding this threshold triggers WAN DDOS flood protection. The default number of non-TCP packets is 1000. The minimum number is 0, and the maximum number is 10,000,000.

  • WAN DOOS Filter Bypass Rate - packets/second - This rate is available when Enable DDOS protection on WAN interfaces is selected. The default value of the WAN DDOS Filter Bypass Rate is 0. This default rate prevents all packets passing through unless the device from which they originate is on the Allow List. This can be an appropriate choice in some deployments.

    When you configure this rate to a non-0 number, some non-TCP packet that would normally be dropped by WAN DDOS Protection are instead passed to the LAN/DMZ network. A non-0 bypass rate allows the risk of a potential attack to be reduced, but not completely blocked. Allowing some packets to pass through (such as every 3rd packet), even though their sources are not on the Allow List, can provide a mechanism by which legitimate WAN-side hosts can get a packet through to the LAN/DMZ side, in spite of the high alert status of the appliance.

    You must determine the appropriate value to set, depending on the capabilities of the potential LAN-side target machines and the nature of the legitimate non-TCP traffic patterns in the network.

  • WAN DDOS Allow List Timeout - seconds - This field is available when Enable DDOS protection on WAN interfaces is selected. If a non-zero Allow List Timeout is defined by the user, entries in the Allow List expire in the configured time. If the Allow List Timeout is zero, they never expire. In either case, the least-recently-used entry in a particular group can be replaced by a new entry, if no unused entry is available in the list.
  • Enable WAN DDOS Protection on WAN interfaces - provides protection against non-TCP DDOS attacks, and so should be used in combination with SYN-Flood Protection if TCP SYN-flood attacks are a concern. This feature is not intended to protect a well-known server of non-TCP services on the Internet (such as a central DNS server), but is intended to protect LAN and DMZ networks for which the majority of non-TCP traffic is initiated from the LAN/DMZ side, possibly in combination with limited WAN-initiated traffic.
  • Check Enable WAN DDOS Protection on WAN interfaces to enable the rest of the options in this section. When WAN DDOS Protection is enabled, it tracks the rate of non-TCP packets arriving on WAN interfaces. When the rate of non-TCP packets exceeds the specified threshold, non-TCP packets arriving on WAN interfaces will be filtered. A non-TCP packet is only forwarded when at least one of the following conditions is met:
    • the source IP address is on the Allow list
    • the packet is SonicWall management traffic, and Always allow SonicWall management traffic is selected
    • the packet is an ESP packet and matches the SPI of a tunnel terminating on the network security appliance
    • the packet is the nth packet matching the value specified for WAN DDOS Filter Bypass Rate (every n packets)

If none of these conditions are met, the packet is dropped early in packet processing.

  • Always allow SonicWall management traffic - This field is available when Enable DDOS protection on WAN interfaces is selected. Select this field so that traffic needed to manage your SonicWall appliances is allowed to pass through your WAN gateways, even when the appliance is under a non-TCP DDOS attack. This option is disabled by default.
  • Always allow VPN negotiation traffic - This field is available when Enable DDOS protection on WAN interfaces is selected. Select this field so that all VPN negotiation packets are allowed to pass through, even though other traffic is blocked.
  1. Click Save.

Attack Protection

To configure the Attack Protection portion of the Add DoS Rule Action

  1. Navigate to OBJECT | Action Profiles > DoS Action Profile.
  2. Click +Add or click the Edit icon from the Configure column.

  3. The Add DoS Action Profile page opens, click the Attack Protection tab.

  4. Enter a friendly DoS Rule Action Name.
  5. Enable Spank Protection to guard against remote host attacks responding to TCP packets that have come from a multicast IP addresses. Attackers exploit this vulnerability by conducting a 'spank' denial of service attack. This results in the host being shut down or the network traffic reaching saturation. Also, this vulnerability can be used by an attacker to conduct stealth port scans against the host.
  6. Enable Smurf Protection to guard against attacks where LAN Clients are being used as part of an "Amplifier network."
  7. Enable Land Attack Protection to protect against a Layer 4 Denial of Service (DoS) attack where the attacker resets the source and destination information of a TCP segment to be the same. A vulnerable machine crashes or freezes because the packet is being repeatedly processed by the TCP stack.
  8. Click Save.

Connection Limiting

The Connection Limiting feature is intended to offer an additional layer of security and control when coupled with such features as SYN Cookies and Intrusion Prevention Services (IPS). Connection limiting provides a means of throttling connections through the firewall using Access Rules as a classifier, and declaring the maximum percentage of the total available connection cache that can be allocated to that class of traffic.

Coupled with IPS, this can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second. Typical, non-malicious network traffic generally does not establish anywhere near these numbers, particularly when it is Trusted > Untrusted traffic (that is, LAN > WAN). Malicious activity of this sort can consume all available connection‐cache resources in a matter of seconds, particularly on smaller appliances.

In addition to mitigating the propagation of worms and viruses, Connection Limiting can be used to alleviate other types of connection‐cache resource consumption issues, such as those posed by uncompromised internal hosts running peer‐to‐peer software (assuming IPS is configured to allow these services), or internal or external hosts using packet generators or scanning tools.

Finally, Connection Limiting can be used to protect publicly available servers (such as, Web servers) by limiting the number of legitimate inbound connections permitted to the server (that is, to protect the server against the Slashdot‐effect). This is different from SYN flood protection that attempts to detect and prevent partially‐open or spoofed TCP connection. This is most applicable for Untrusted traffic, but it can be applied to any zone traffic as needed.

Connection Limiting is applied by defining a percentage of the total maximum allowable connections that might be allocated to a particular type of traffic. The previous figures show the default LAN > WAN setting, where all available resources might be allocated to LAN > WAN (any source, any destination, any service) traffic.

More specific rules can be constructed; for example, to limit the percentage of connections that can be consumed by a certain type of traffic (for example, FTP traffic to any destination on the WAN), or to prioritize important traffic (for example, HTTPS traffic to a critical server) by allowing 100% to that class of traffic, and limiting general traffic to a smaller percentage (minimum allowable value is 1%).

It is not possible to use IPS signatures as a Connection Limiting classifier; only Access Rules (for example, Address Objects and Service Objects) are permissible.

To configure the Connection Limiting portion of the Add DoS Action Profile page

  1. Navigate to OBJECT | Action Profiles > DoS Action Profile.
  2. Click +Add or click the Edit icon from the Configure column.

  3. The Add DoS Action Profile page opens, click the Connection Limiting tab.

  4. Enter a friendly DoS Rule Action Name.
  5. Enable Connection Limiting.
  6. Configure options and thresholds as necessary.
  7. Click Save.

Was This Article Helpful?

Help us to improve our support portal

Yes! Not Really

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden