This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vincent_Bacher
MVP Silver
MVP Silver
yesterday

SecureXL dos

Hey everyone,

I’ve been looking into SecureXL’s DoS protection features and wanted to get some input from people who’ve worked with this in production.


From what I understand, there are four possible scenarios when combining Rate Limiting and the Penalty Box:


∙ Both disabled, Monitor Mode on — no enforcement, just logging
∙ Penalty Box on, Rate Limiting off — I’m assuming the Penalty Box can still trigger from ACL or IPS drops, but I’m not fully sure how effective it is without Rate Limiting generating drops
∙ Rate Limiting on, Penalty Box off — traffic gets throttled but no IP ever gets fully blocked
∙ Both enabled, Monitor Mode on — violations are actively detected and tracked against real thresholds, but no actual blocking occurs until monitor mode is turned off


What I’m mostly curious about is real-world experience. What side effects have you run into in production? Any unexpected behavior when enabling these features on a live firewall? Lessons learned around tracking modes, threshold tuning, or internal interface enforcement?
Would love to hear from anyone who’s been through it.

Thanks 

Vince

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
2 Replies
Gennady
Contributor
yesterday

Good day!

A test for this feature was once requested by one of our customers. I did performance testing with Cisco Trex split traffic profile where some traffic was subjected to fwaccel dos feature.

Here is the "Accept" traffic load generated by Trex:

Trex-Good.png

Here is "DoS" traffic also generated by Trex:

Trex-DOS.png

Here is the Rate Limiting rules.

Rate_limit_rules.png

I guess the config doesn't need an explanation. However, you need to be sure that you enable the feature on correct interfaces because there are options.

HTOP output before enabling the rate limiting:

htop_Before.png

Poor 23800 basically died under 500K pps Accept traffic + 3M pps Drop traffic. This indicates successful DoS.

HTOP output after fwaccel dos rate limiting rules were enabled:

htop_After.png

It is very important to mention that I had to stop trex traffic to enable rate-limiting rules. It was impossible to enable the rate limiting under DoS because the command fails every time. Same goes for deny list update.

To use the feature, you need to have some kind of predefined active rate-limiting policy. The good part is that as soon as rate limiting is working, you will have very efficient drop mechanism very early in SND. You can see on the screenshot above that even SND survive good under 3M packet drop with no effect on good traffic.

The other important thing is that the feature is called "fwaccel Dos" not "fwaccel DDoS" for a reason. When all the bad traffic comes from a limited number of source addresses the rate limit triggers timely and prevent the DoS. If the bad traffic is distributed among good variety of source addresses, then rate per address may be low and still sufficient to create resource oversubscription.

There is a feature to track packet rate per source IP to prevent fails positives.  When the feature is enabled the same traffic profile doesn't trigger any drops because per-Source rate is much lower. The screenshot below shows a lot of matches for the rate limit rules and 0 drops because the traffic is coming from 61K source addresses.

track-source.png

Same argument foes for penalty box. It works with the same efficiency as rate-limiting for DoS attack. The main thing to consider is that penalty box is triggered for drop rate originated not only from FW/IPS Policy but by other FW drops either. For example, by "First packet is not SYN". We have got a problem in the Lab during the stress test. BGP traffic starts to be dropped right before penalty box kicked in for Bad traffic. This triggered BGP to go to Penalty Box for 3 minutes. It was the end of the test iteration. It worth to include critical IPs into whitelist for penalty box and rate limiting just in case. I have requested SK112454 update because of this incident:

SK_Update.png

As you see, it was slightly updated. However, it is now not as misleading as it was.

I don't have screenshots but as far as I remember, penalty box has some time to gather statistics about dropped packets, and it triggers a critical delay because DoS starts all at once and for some seconds valid traffic may be dropped because of the attack. This may lead to this traffic to be boxed either.

Vincent_Bacher
MVP Silver
MVP Silver
yesterday
In response to Gennady

Hi Grennady,

wow, thank you very much for this very detailed report.

It confirms my assumption and reflects my understanding very well. 
We already compiled several rate policies in corporation with checkpoint and I wanted to get some experience reports here for a better understanding and feeling.

Curious to see that in action on our critical virtual systems once monitor mode disabled.

Again, thank you very much, much appreciated 

Vince 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events