cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Flood of Traffic from Internal Server

We had a condition where a Internal Server flooded so much of Syslog connections causing Firewall to loose its connection table and further causing no service , Please advise if TCP segment protection will help in IPS (Do not see any place to setup the limitation). Any other advise.

0 Kudos
3 Replies
Vladimir
Pearl

Re: Flood of Traffic from Internal Server

Typically, Syslog is configured to output UDP. If that is the case, I do not think that the TCP Segmentation Protection will not do anything  for you.

You can take a look at this: Rate Limiting for DoS Mitigation 

and see if you can apply similar technique to prevent your gateways from being overloaded.

Re: Flood of Traffic from Internal Server

Yeah. As it is with your internal Server, so you know the IP address and can rate limit the things by configuring below.

Re: Flood of Traffic from Internal Server

The rate-limiting commands mentioned above should help; if your firewall is using Gaia though make sure the connections table is set to Automatically as shown, you should not run out of connection table slots unless Gaia itself runs out of physical memory.  If you upgraded from an IPSO or SecurePlatform-based firewall this may still be set to the manual limit of 25000.

In my book I cover this exact scenario in the context of a nemesis-worthy internal auditor named Jim Profit doing port scans through the firewall.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com