Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

Flood of Traffic from Internal Server

We had a condition where a Internal Server flooded so much of Syslog connections causing Firewall to loose its connection table and further causing no service , Please advise if TCP segment protection will help in IPS (Do not see any place to setup the limitation). Any other advise.

0 Kudos
3 Replies
Highlighted
Champion
Champion

Typically, Syslog is configured to output UDP. If that is the case, I do not think that the TCP Segmentation Protection will not do anything  for you.

You can take a look at this: Rate Limiting for DoS Mitigation 

and see if you can apply similar technique to prevent your gateways from being overloaded.

Highlighted

Yeah. As it is with your internal Server, so you know the IP address and can rate limit the things by configuring below.

Highlighted
Champion
Champion

The rate-limiting commands mentioned above should help; if your firewall is using Gaia though make sure the connections table is set to Automatically as shown, you should not run out of connection table slots unless Gaia itself runs out of physical memory.  If you upgraded from an IPSO or SecurePlatform-based firewall this may still be set to the manual limit of 25000.

In my book I cover this exact scenario in the context of a nemesis-worthy internal auditor named Jim Profit doing port scans through the firewall.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com