HomeHome ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles Request New ArticleRequest New Article
RSS Feeds
DrillDown Icon Table of Contents
DrillDown Icon Knowledge Base Information
DrillDown Icon Cyberoam Security Appliances (UTM and NGFW)
DrillDown Icon FAQs on Cyberoam and Sophos Firewall
DrillDown Icon Vulnerability Security Advisories
DrillDown Icon Best Practices & Policies
DrillDown Icon Protect Your Cyberoam Appliances from Power Fluctuations
DrillDown Icon Technical Library
DrillDown Icon Deployment
DrillDown Icon Registration & Licensing
DrillDown Icon System
DrillDown Icon Objects
DrillDown Icon Network
DrillDown Icon Identity
DrillDown Icon Firewall
DrillDown Icon VPN
DrillDown Icon IPS
DrillDown Icon Monitor SSH Traffic
DrillDown Icon Prevent DoS and DDoS Attacks using Cyberoam
DrillDown Icon Upgrade IPS Signature
DrillDown Icon Create Custom IPS signature
DrillDown Icon How do I find details about IPS signatures in Cyberoam?
DrillDown Icon Does Cyberoam block any tools that are used to monitor traffic flowing through the network?
DrillDown Icon Web Filter
DrillDown Icon Application Filter
DrillDown Icon Web Application Firewall (WAF)
DrillDown Icon IM
DrillDown Icon Quality of Service (QoS)
DrillDown Icon Anti Virus
DrillDown Icon Anti Spam
DrillDown Icon Logs & Reports
DrillDown Icon Clients
DrillDown Icon Cyberoam Maintenance
DrillDown Icon Compatibility
DrillDown Icon Archives
DrillDown Icon Cyberoam Virtual Security
DrillDown Icon Cyberoam iView
DrillDown Icon Cyberoam Central Console
DrillDown Icon Cyberoam's On-Cloud Management Service
  Subscribe Print PreviewPrint Current Article and All Sub-Articles
Rate Icon Rate Icon Rate Icon Rate Icon Rate Icon
Prevent DoS and DDoS Attacks using Cyberoam

Applicable Version: 10.00 onwards
Denial of Service (DoS)

A Denial of Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable.

DoS Attacks can be carried out in the following ways:

ICMP Flood: In such an attack, the perpetrators send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination.

SYN/TCP Flood: SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.

UDP Flood: A UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. For a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients.

Distributed Denial of Service (DDoS)

A Distributed Denial of Service (DDoS) attack is the attack where multiple legitimate or compromised systems perform a DoS Attack to a single target or system. This distributed attack can compromise the victim machine or force it to shutdown, which in turn bars service to its legitimate users.

This article describes how you can protect your network against DoS and DDoS attacks using Cyberoam. It is divided into Two (2) sections, namely:

-         Protecting from DoS Attack
-         Protecting from DDoS Attack
Protecting from DoS Attack

You can protect your network against DoS attacks both for IPv4 and IPv6 traffic by configuring appropriate DoS Settings on Cyberoam. You can configure DoS Settings by following the steps given below.

·                   Login to Cyberoam Web Admin Console using profile having read-write administrative rights over relevant features.

·                   Go to Firewall > DoS > Settings, set the given parameters as appropriate to your network traffic and check Apply Flag against the configured parameter to enable scanning for the respective type of traffic.
      For example, here we have set Packet Rate per Source (Packet/min) as 1200 for ICMP/ICMPv6 Flood and checked Apply Flag against it to enable scanning for ICMP and ICMPv6 traffic. 
·                   Click Apply to apply the configured DoS Settings.
Once DoS settings are applied, Cyberoam keeps a check on the network traffic to ensure that it does not exceed the configured limit. For example, once above settings are applied, Cyberoam scans the network traffic for ICMP and ICMPv6 packets. If the number of ICMP/ICMPv6 packets from a particular source exceeds 1200 per minute, Cyberoam drops the excessive packets and continues dropping till the attack subsides.

Protecting from DDoS Attack

You can protect your network against DDoS attacks using IPS policies in Cyberoam. To configure IPS policy, follow the steps given below.

·                   Login to Cyberoam Web Admin Console using profile having read-write Administrative rights over relevant features.

·                   Go to IPS > Policy > Policy and click Add to create a new IPS Policy named ‘DDoS_Protection’. 
·      Select the newly-made policy and click Add to add Rule for the IPS Policy. 
·      Click Select Individual Signature and search for DDoS signatures. 
·      Select the DDoS signatures and select Action as Drop Packet. Click OK to save the Rule. 

·         Click OK to save policy.
·         Go to Firewall > Rule > Rule and apply the policy on the required Firewall Rule. Here, we have applied it on LAN_WAN_LiveUserTraffic. 
Click OK to save the firewall settings.
Once the IPS policy is applied, Cyberoam keeps a lookout for any packets that match the configured IPS signature(s). If any such packets are found, Cyberoam drops them.

                                                                                                                                                                        Document Version: 1.1 – 2 May, 2014
Article ID: 2605