topic Re: DDOS defense in General Topics

DDOS defense

JiaMIn — Sat, 29 Feb 2020 23:27:45 GMT

I want to know how to defend the gateway of R80.30 from DDOS and whether the threshold of DDOS protocol can be defined.

Thanks & Regards

Re: DDOS defense

PhoneBoy — Sun, 01 Mar 2020 00:11:33 GMT

We have a Best Practice SK on this topic: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk112241
We also sell appliances/services that specifically help with DDoS: https://www.checkpoint.com/products/ddos-protector/

Re: DDOS defense

Chris_Atkinson — Sun, 01 Mar 2020 00:32:57 GMT

Further to @PhoneBoy excellent suggestions it's also helpful to do the basics at the network edge like routing unused public networks to null and applying infrastructure ACLs assuming you have an upstream border router(s).

Re: DDOS defense

Jeff_Gao — Sun, 01 Mar 2020 10:49:41 GMT

sk112241 Best Practices - DDoS attacks on Check Point Security Gateway

This will auto close secureXL

Re: DDOS defense

HeikoAnkenbrand — Mon, 02 Mar 2020 17:26:58 GMT

Re: DDOS defense

HeikoAnkenbrand — Mon, 02 Mar 2020 17:31:15 GMT

Hi @JiaMIn,

This applies to configuration of DOS/Rate Limiting for R80.20 and newer. Rate limiting is a defense against DoS (Denial of Service) attacks. This links describes the DoS/Rate Limiting system as implemented in R80.20 and newer, including the following features:

- Policy Rules
- IP Blacklist
- Block IP Fragments
- Block IP Options
- Penalty Box
- DoS Whitelist
- Penalty Box Whitelist

In general, these features solve separate problems, and are managed/configured separately. However be aware that there are some global settings that will affect the behavior of multiple features simultaneously.

To maximize performance, the DoS/Rate Limiting policy is enforced as early as possible in the packet flow. For most features this means it is enforced in SecureXL. Connection-based policy is the single exception (R80.20 and newer). This policy is enforced by the Firewall blade since this is where the related connection state is stored and managed.

How to configure Rate Limiting rules for DoS Mitigation (R80.20 and newer). More read here:

sk112454 - How to configure Rate Limiting rules for DoS Mitigation (R80.20 and newer)

How to configure Rate Limiting rules for DoS Mitigation (R80.10 and older). More read here:

sk164472 - How to configure Rate Limiting rules for DoS Mitigation (R80.10 and older)

Re: DDOS defense

k_b — Thu, 15 Feb 2024 05:54:59 GMT

Hi,

Thank you very much for these links, they are looking promissing. One additional question, maybe it is documented somewhere, but I could not find it.

Let´s assume the following rate limiting rule for the documentation is going to be implemented.

fwaccel dos rate add source cidr:192.168.2.0/24 pkt-rate 1000

There is one client in this network which is a privileged user and should be able to use the resources more frequently. In case the following rule is added.

fwaccel dos rate add source cidr:192.168.2.100/32 pkt-rate 1000

Will there be a conflict with the rules, will one rule overwrite the other, is there a longest-prefix matching? How could such an use case be realized?

Thanking you in advance