How to configure a SonicWALL firewall to mitigate DDoS attacks.
- Title
How to configure the firewall to mitigate DDoS attacks.
- Description
A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. There are three types of DDoS attacks. Layer 3,Layer 4 DDoS attacks and Layer 7 DDoS attack.
Layer 3 / 4 DDoS attacks
The majority of DDoS attacks focus on targeting the transport and network layers. These types of attacks are usually comprised of volumetric attacks that aim to overwhelm the target machine, denying or consuming resources until the server goes offline. In these types of DDoS attacks, malicious traffic (TCP / UDP) is used to flood the victim. These attacks also drive to saturate the entire network with malicious traffic until it is rendered temporarily obsolete.
Layer 7 DDoS attacks
Application-layer DDoS attacks are some of the most difficult attacks to mitigate against because they mimic human behavior as they interact with the user interface. A sophisticated Layer 7 DDoS attack may target specific areas of a website, making it even more difficult to separate from normal traffic.
- Resolution
To mitigate DDoS attacks, you can do the following configuration on the firewall.
1. Enable IPS to protect against known application flaws/exploits.
Navigate to Security Services > Intrusion Prevention
Note : To enforce SonicWALL IPS not only between each network zone and the WAN, but also between internal zones, you should also apply SonicWALL IPS to zones on the Network > Zones page .
2. Block spoofed TCP attacks before they enter your network. ( Enable MAC-IP Anti-spoof settings)
Navigate to Network > MAC-IP Anti-spoof page. To configure Anti-spoof setting for a particular interface.
3. Don’t let dark address packets pass your perimeter (not easy but if you can figure out a way to determine that the addresses are at any given time you can block them) .
1) You can navigate to Network > MAC-IP Anti-spoof page>Anti-Spoof Cache area | Add the suspicious device to the Anti-spoof cache (please mark the device as blacklisted).
Or
2) You can navigate to Firewall > Access Rules page | Add a Deny rule for the suspicious device.
4. Block unused protocols and ports. ( Know what you need? Block everything else.)
Navigate to Firewall > Access Rules page | Add a Deny rule for the suspicious protocols and ports.
5. Limit numbers of concurrent connections per source IP. (can be done in the Flood Settings or on a per SPI rule basis)
1) Navigate to Firewall Settings >Flood Protection page| Enable UDP Flood Protection and ICMP Flood Protection.
2) Navigate to Firewall >Access Rules page| Click Add/Edit botton of the Rule | Click Tab Advanced | Configure the number of connections for each IP address.
6. Filter foreign TCP packets. (Drop packets that are not related to established TCP sessions)
Navigate to Firewall > Access Rules page | Add a Deny rule for foreign TCP packets.