HomeHome ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles Request New ArticleRequest New Article
RSS Feeds
DrillDown Icon Table of Contents
DrillDown Icon Implement BYOD Security with Cyberoam
DrillDown Icon Knowledge Base Information
DrillDown Icon Cyberoam Network Security Appliances (UTM and NGFW)
DrillDown Icon Security Advisory - Heartbleed Vulnerability in OpenSSL
DrillDown Icon Best Practices & Policies
DrillDown Icon Protect Your Cyberoam Appliances from Power Fluctuations
DrillDown Icon Technical Library
DrillDown Icon Deployment
DrillDown Icon Registration & Licensing
DrillDown Icon System
DrillDown Icon Objects
DrillDown Icon Network
DrillDown Icon Identity
DrillDown Icon Firewall
DrillDown Icon VPN
DrillDown Icon IPS
DrillDown Icon Mitigate OpenSSL Heartbleed Vulnerability
DrillDown Icon Prevent DoS and DDoS Attacks using Cyberoam
DrillDown Icon Upgrade IPS Signature Manually
DrillDown Icon Create Custom IPS signature
DrillDown Icon How do I find details about IPS signatures in Cyberoam?
DrillDown Icon Does Cyberoam block any tools that can be used to monitor traffic flowing through the network?
DrillDown Icon Web Filter
DrillDown Icon Application Filter
DrillDown Icon Web Application Firewall (WAF)
DrillDown Icon IM
DrillDown Icon Quality of Service (QoS)
DrillDown Icon Anti Virus
DrillDown Icon Anti Spam
DrillDown Icon Logs & Reports
DrillDown Icon Clients
DrillDown Icon Tech Notes
DrillDown Icon Cyberoam Maintenance
DrillDown Icon Compatibility
DrillDown Icon Archives
DrillDown Icon Visio Stencils
DrillDown Icon Product Technical Support
DrillDown Icon Cyberoam Virtual Security
DrillDown Icon Cyberoam iView
DrillDown Icon Cyberoam Central Console
DrillDown Icon Cyberoam's On-Cloud Management Service
  Subscribe Print PreviewPrint Current Article and All Sub-Articles
Rate Icon Rate Icon Rate Icon Rate Icon Rate Icon
 
Prevent DoS and DDoS Attacks using Cyberoam

Applicable Version: 10.00 onwards
 
Overview
 
Denial of Service (DoS)

A Denial of Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable.

DoS Attacks can be carried out in the following ways:

ICMP Flood: In such an attack, the perpetrators send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination.

SYN/TCP Flood: SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.

UDP Flood: A UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. For a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients.
 

Distributed Denial of Service (DDoS)

A Distributed Denial of Service (DDoS) attack is the attack where multiple legitimate or compromised systems perform a DoS Attack to a single target or system. This distributed attack can compromise the victim machine or force it to shutdown, which in turn bars service to its legitimate users.
 

This article describes how you can protect your network against DoS and DDoS attacks using Cyberoam. It is divided into Two (2) sections, namely:

-         Protecting from DoS Attack
-         Protecting from DDoS Attack
 
 
Protecting from DoS Attack

You can protect your network against DoS attacks by configuring appropriate DoS Settings on Cyberoam. You can configure DoS Settings by following the steps given below.

·                   Login to Cyberoam Web Admin Console using Administrator profile.

·                   Go to Firewall à DoS à Settings, set the given parameters as appropriate to your network traffic and check Apply Flag against the configured parameter to enable scanning for the respective type of traffic.
 
      For example, here we have set Packet Rate per Source (Packet/min) as 1200 and checked Apply Flag against it to enable scanning for the respective traffic.
 
 
 
 
·                   Click Apply to apply the configured DoS Settings.
 
Once DoS settings are applied, Cyberoam keeps a check on the network traffic to ensure that it does not exceed the configured limit. For example, once above settings are applied, Cyberoam scans the network traffic for ICMP packets. If the number of ICMP packets from a particular source exceeds 1200 per minute, Cyberoam drops the excessive packets and continues dropping till the attack subsides.
 

Protecting from DDoS Attack

You can protect your network against DDoS attacks using IPS policies in Cyberoam. To configure IPS policy, follow the steps given below.

·                   Login to Cyberoam Web Admin Console using Administrator profile.

·                   Go to IPS à Policy à Policy and click Add to create a new IPS Policy named ‘DDoS_Protection’.
 
 
 
 
·         Select the newly-made policy and search for signatures related to DDoS. A list of all DDoS-related signatures is displayed.
 
 
 
 
·         In the list of signatures, select Drop Packet under Actions against the required signatures. You may Set common action for all signatures, in case of multiple signatures.
 
 
 
 
·         Click OK to save the policy.
 
 
 
 
·         Go to Firewall à Rule à Rule and apply the policy on the required Firewall Rule. Here, we have applied it on LAN_WAN_LiveUserTraffic.
 
 
 
 
Click OK to save the firewall settings.
 
Once the IPS policy is applied, Cyberoam keeps a lookout for any packets that match the configured IPS signature(s). If any such packets are found, Cyberoam drops them.






                                                                                                                                                                                                Document Version: 1.0 – 05/04/2013
Attachments
Article ID: 2605


How helpful was this information?
Poor Below Average Average Above Average Very High
Provide suggestions for article improvment. Please provide your email address if you wish to receive mail updates on your suggestion.
 Get a new challenge
Write the characters in the image above