Configuring Flood Defense Settings for Preventing Attacks
Configure flood defense settings to prevent denial-of-service (DoS) attacks from overwhelming the security device with large numbers or floods of certain packet types. You can protect targets in the security zone from ICMP, SYN, and UDP floods.
Configuring ICMP Flooding Protection
An ICMP flood occurs when incoming ICMP echo requests overload a target system with so many requests that the system expends all its resources responding until it can no longer process valid network traffic. You can protect targets in the security zone from ICMP floods by setting a packet-per-second threshold for ICMP requests (default setting: 1000 packets per second). When the ICMP packet flow exceeds the defined threshold, the security device ignores further ICMP echo requests for the remainder of that second and the next second.
Configuring SYN Flooding Protection
A SYN flood occurs when a target becomes so overwhelmed by SYN segments initiating invalid connection requests that it can no longer process legitimate connection requests.You can configure thresholds for the zone that, when exceeded, prompt the security device to begin acknowledging incoming SYN segments and queuing incomplete connection requests. Incomplete connection requests remain in the queue until the connection completes or the request times out.
To protect targets in the security zone from SYN floods, enable SYN Flood Protection and configure the thresholds for SYN segments passing through the zone as described in Table 1.
Table 1: Thresholds for SYN segments
Configure the number of SYN packets (TCP segments with the SYN flag set) per second required for the security device to begin SYN proxy. This threshold is the total number of packets passing through the zone, from all sources to all destinations.
Configure the number of proxied TCP connection requests required to generate an alarm in an alarm log entry for the event.
Configure the number of SYN packets per second from a single IP address required for the security device to begin rejecting new connection requests from that source.
Configure the number of SYN packets per second to a single IP address required for the security device to begin rejecting new connection requests to that destination.
Configure the number of seconds the security device holds an incomplete TCP connection attempt in the proxied connection queue.
Configure the number of proxied TCP connection requests held in the proxied connection queue before the security device begins rejecting new connection requests.
Configuring UDP Flooding Protection
Security devices currently support UDP for incoming SIP calls. To protect targets in the security zone against UDP flooding by incoming SIP traffic, enable UDP Flooding Protection. The security device can limit the number of UDP packets that can be received by an IP address, preventing incoming SIP calls from overwhelming a target.
UDP Flood Protection appears only for devices running ScreenOS 5.1 and later.
SIP signaling traffic consists of request and response messages between client and server and uses transport protocols such as UDP or TCP. The media stream carries the data (for example, audio data), and uses Application Layer protocols such as RTP (Real-Time Transport Protocol) over UDP.