Applicable Version: 10.00 onwards
Denial of Service (DoS)
A Denial of Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable.
DoS Attacks can be carried out in the following ways:
ICMP Flood: In such an attack, the perpetrators send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination.
SYN/TCP Flood: A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.
UDP Flood: A UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. For a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients.
Distributed Denial of Service (DDoS)
A Distributed Denial of Service (DDoS) attack is the attack where multiple legitimate or compromised systems perform a DoS Attack to a single target or system. This distributed attack can compromise the victim machine or force it to shutdown, which in turn bars service to its legitimate users.
This article describes how you can protect your network against DoS and DDoS attacks using Cyberoam. It is divided into Two (2) sections, namely:
Protecting from DoS Attack
You can protect your network against DoS attacks both for IPv4 and IPv6 traffic by configuring appropriate DoS Settings on Cyberoam. You can configure DoS Settings by following the steps given below.
· Login to Cyberoam Web Admin Console using profile having read-write administrative rights over relevant features.
· Go to Firewall > DoS > Settings, set the given parameters as appropriate to your network traffic and check Apply Flag against the configured parameter to enable scanning for the respective type of traffic.
For example, here we have set Packet Rate per Source (Packet/min) as 1200 for ICMP/ICMPv6 Flood and checked Apply Flag against it to enable scanning for ICMP and ICMPv6 traffic.
· Click Apply to apply the configured DoS Settings.
Once DoS settings are applied, Cyberoam keeps a check on the network traffic to ensure that it does not exceed the configured limit. For example, once above settings are applied, Cyberoam scans the network traffic for ICMP and ICMPv6 packets. If the number of ICMP/ICMPv6 packets from a particular source exceeds 1200 per minute, Cyberoam drops the excessive packets and continues dropping till the attack subsides.
Protecting from DDoS Attack
You can protect your network against DDoS attacks using IPS policies in Cyberoam. To configure IPS policy, follow the steps given below.
· Login to Cyberoam Web Admin Console using profile having read-write Administrative rights over relevant features.
· Go to IPS > Policy > Policy and click Add to create a new IPS Policy named ‘DDoS_Protection’.
· Select the newly-made policy and click Add to add Rule for the IPS Policy.
· Click Select Individual Signature and search for DDoS signatures.
· Select the DDoS signatures and select Action as Drop Packet. Click OK to save the Rule.
· Click OK to save policy.
· Go to Firewall > Rule > Rule and apply the policy on the required Firewall Rule. Here, we have applied it on LAN_WAN_LiveUserTraffic.
Click OK to save the firewall settings.
Once the IPS policy is applied, Cyberoam keeps a lookout for any packets that match the configured IPS signature(s). If any such packets are found, Cyberoam drops them.
Document Version: 1.1 – 2 May, 2014