Sangfor DoSDDoS Solution · Defense Against DoS/DDoS Attack (SYN Flood, UDP Flood, DNS Flood, ICMP...
Transcript of Sangfor DoSDDoS Solution · Defense Against DoS/DDoS Attack (SYN Flood, UDP Flood, DNS Flood, ICMP...
www.sangfor.com
Sangfor Technologies
Sangfor NGAF - Next Generation Firewall + WAF
● Full Visibility of the Network Security
● Real-Time Detection & Fast Response
● Simple Operation & Maintenance
● High-Performance Hardware/Software
Sangfor DoS/DDoS Solution
DoS (Denial-of-Service Attack) is a type of network attack that user’s network often faces.
Considering the long history of the Internet since the last century up until now, the popularity
of DoS attacks hasn’t dropped at all since its started in 1999, and it is still one of the most
common type of network attack as of today.
Definitions
DoS (Denial of Service) attack is a cyber-attack where the perpetrator seeks to make a
machine or network resource unavailable to its intended users, such as to temporarily or
indefinitely interrupt or suspend services of a host connected to the Internet. Denial of service
is typically accomplished by flooding the targeted machine or resource with superfluous
requests in an attempt to overload systems and prevent some or all legitimate requests from
being fulfilled. It is analogous to a group of people crowding the entry door or gate to a shop or
business, and not letting legitimate parties enter into the shop or business, disrupting normal
operations.
DDoS (Distributed Denial of Service) attack refers to the combination of multiple
computers as an attack platform, launched DDoS attacks on one or more targets, which
doubled the power to improve the denial of service attacks. Forging a source IP DoS attack can
be seen as a DDoS attack.
Sangfor Anti-DoS/DDoS Glossary
Inbound Attack Protection:
Mainly to protect internal server from being attacked from the external zone, providing:
▪ Scan prevention (IP Scan, Port Scan)
▪ Defense Against DoS/DDoS Attack (SYN Flood, UDP Flood, DNS Flood, ICMP Flood,
ICMPv6 Flood)
▪ Packet-based Attack Protection (Unknown protocol, TearDrop attack, Sending IP
fragment, LAND attack, WinNuke attack, Smurf attack, Large size ICMP packet
(>1024B)#Ping of death)
▪ Bad IP Options (Wrong IP message, IP timestamp message, IP security option
message, IP stream option message, IP record route option message, IP lose source
route option message, IP strict source route option message)
▪ Bad TCP Options (SYN packet fragmentation, TCP header flag bits are 0 only, SYN and
FIN flag bits are 1, Only FIN flag bit is 1)
Outbound Attack protection:
Mainly to protect internal PCs from launching the DoS attack, providing:
▪ Scan Prevention (IP Scan, Port Scan),
▪ Defense Against DoS/DDoS Attack (SYN Flood, UDP Flood, DNS Flood, ICMP Flood,
ICMPv6 Flood),
▪ Packet-based Attack Protection (Unknown protocol, TearDrop attack, Sending IP
fragment, LAND attack, WinNuke attack, Smurf attack, Large size ICMP
packet(>1024B)#Ping of death).
www.sangfor.com
Sangfor Technologies
Sangfor NGAF - Next Generation Firewall + WAF
● Full Visibility of the Network Security
● Real-Time Detection & Fast Response
● Simple Operation & Maintenance
● High-Performance Hardware/Software
NGAF Device Protection:
Self-protection of Sangfor NGAF being attacked by DoS, providing:
▪ Scan Prevention (IP Scan, Port Scan),
▪ Defense Against DoS/DDoS Attack (SYN Flood, UDP Flood, DNS Flood, ICMP Flood).
Anti-DoS Assisting Tools:
a. Country blocking: When DoS occurs, only allow certain region IPs to access the
internal network, and refuse other region IPs. Directly refuse certain region IPs to
access the network.
b. Internal IP address white list: Only allows the specified internal IP group traffic go
through the NGAF to prevent forging Ips.
c. Affiliated source lockout: For an IP detected by NGAF & blocked for a certain amount
of time, it can be automatically unlocked after a specified time or manually unblocked.
d. Global blacklist: For a specified IP to be permanently blocked, until manually
removed.
e. Connection control: After setting the threshold for the number of source IP
connections, packets are discarded for some source IP addresses.
1. Outside DOS/DDOS
If an outside network launched the DoS/DDoS (including forging source IP) attack to the
internal network, we can set an inbound attack protection policy at first, such as described on
the next page.
Solution
A. If the attacks do not affect the maximum performance of NGAF or maximum bandwidth, it is
recommended to make the below operations to protect your network:
1) Extend the blocking time configured in the policy
2) Export the attack source IP from the attack source IP list and import it into the blocked list to
be permanently blocked
3) Export the attack source IP from the attack source IP list, and provide it to the ISP for traffic
cleaning
B. If the attack IP is obviously regional, or the business system itself is only open to a certain
country, you can directly set a Country Blocking Policy, allowing only a country IP access to the
internal network, or only deny certain country Ips.
C. If the maximum pressure of NGAF and bandwidth is affected, the attack source IP needs to
be exported from the attack source IP list and provided to the ISP for traffic cleaning.
D. Outside network launched a DoS/DDoS attack to internal network with a changing source
IP, we can according to the IP segment add it to the list of blocked IP address, and we can also
use the application control deny strategy for the IP group changes to match the source IP
group.
E. If the changing source IP is not regular, or there are too many DDoS attack IPs and can’t be
added to blocked list, you can add a Country Blocking policy, allowing only a certain country
IPs, so as to minimize the impact on the normal business.
2. Inside DOS/DDOS
Internal network launched the DoS/DDoS (including forging source IP) attack to the outside
network, we can set an outbound attack protection policy at first, as described below:
A. If there is a SNAT device before the NGAF, please try to disable this function. It is
recommended to deploy the NGAF before the SNAT device or set the SNAT on NGAF.
B. From the DoS log in internal report center, we can find the MAC address of an attacker,
and with it locate the DoS/DDoS attacker.
C. Enable the internal IP address, which only allow allowed IP traffic through the AF.
www.sangfor.com
Sangfor Technologies
Sangfor NGAF - Next Generation Firewall + WAF
● Full Visibility of the Network Security
● Real-Time Detection & Fast Response
● Simple Operation & Maintenance
● High-Performance Hardware/Software