Configuring Advanced Properties for ScreenOS Device Details

When a denial-of-service (DoS) attack occurs, the CPU recognizes the attack and drops the traffic. A DoS attack can cause high CPU utilization and cause the security device to drop all packets. To prevent high CPU utilization during a DoS attack, the packet dropping feature was moved to the application-specific integrated circuit (ASIC) in ScreenOS 6.0.

Network traffic is categorized as critical and noncritical. Critical traffic includes management traffic such as Telnet and SSH. When a DoS attack occurs, CPU usage increases and when it reaches the throttling threshold, it triggers the dropping of noncritical traffic, which is not blacklisted. To prevent this, you can configure the security device to drop malicious packets within the device that processed them. In this mechanism, you create a blacklist with source and destination network addresses from which malicious traffic reaches the security device.

When a packet reaches the security device, the packets are checked against a list of configured blacklisted entries. If a match occurs, the device drops that packet. If the packet does not match the blacklisted entry, the device passes the packet to the next stage that prioritizes the packet. For each entry in the blacklist, the security device maintains a drop counter to record the number of packets dropped against that entry.

Related Documentation