Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JiaMIn
Explorer
Jump to solution

DDOS defense

Hi  

I want to know how to defend the gateway of R80.30 from DDOS and whether the threshold of DDOS protocol can be defined.

Thanks & Regards

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @JiaMIn,

This applies to configuration of DOS/Rate Limiting for R80.20 and newer. Rate limiting is a defense against DoS (Denial of Service) attacks. This links describes the DoS/Rate Limiting system as implemented in R80.20 and newer, including the following features:

- Policy Rules
- IP Blacklist
- Block IP Fragments
- Block IP Options
- Penalty Box
- DoS Whitelist
- Penalty Box Whitelist

In general, these features solve separate problems, and are managed/configured separately. However be aware that there are some global settings that will affect the behavior of multiple features simultaneously.

To maximize performance, the DoS/Rate Limiting policy is enforced as early as possible in the packet flow. For most features this means it is enforced in SecureXL. Connection-based policy is the single exception (R80.20 and newer). This policy is enforced by the Firewall blade since this is where the related connection state is stored and managed.


How to configure Rate Limiting rules for DoS Mitigation (R80.20 and newer). More read here:

sk112454 - How to configure Rate Limiting rules for DoS Mitigation (R80.20 and newer)  

How to configure Rate Limiting rules for DoS Mitigation (R80.10 and older). More read here:

sk164472 - How to configure Rate Limiting rules for DoS Mitigation (R80.10 and older) 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
We have a Best Practice SK on this topic: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
We also sell appliances/services that specifically help with DDoS: https://www.checkpoint.com/products/ddos-protector/
0 Kudos
Jeff_Gao
Advisor

sk112241   Best Practices - DDoS attacks on Check Point Security Gateway

This will auto close secureXL

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Further to @PhoneBoy excellent suggestions it's also helpful to do the basics at the network edge like routing unused public networks to null and applying infrastructure ACLs assuming you have an upstream border router(s).

CCSM R77/R80/ELITE
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
 
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @JiaMIn,

This applies to configuration of DOS/Rate Limiting for R80.20 and newer. Rate limiting is a defense against DoS (Denial of Service) attacks. This links describes the DoS/Rate Limiting system as implemented in R80.20 and newer, including the following features:

- Policy Rules
- IP Blacklist
- Block IP Fragments
- Block IP Options
- Penalty Box
- DoS Whitelist
- Penalty Box Whitelist

In general, these features solve separate problems, and are managed/configured separately. However be aware that there are some global settings that will affect the behavior of multiple features simultaneously.

To maximize performance, the DoS/Rate Limiting policy is enforced as early as possible in the packet flow. For most features this means it is enforced in SecureXL. Connection-based policy is the single exception (R80.20 and newer). This policy is enforced by the Firewall blade since this is where the related connection state is stored and managed.


How to configure Rate Limiting rules for DoS Mitigation (R80.20 and newer). More read here:

sk112454 - How to configure Rate Limiting rules for DoS Mitigation (R80.20 and newer)  

How to configure Rate Limiting rules for DoS Mitigation (R80.10 and older). More read here:

sk164472 - How to configure Rate Limiting rules for DoS Mitigation (R80.10 and older) 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
k_b
Contributor

Hi,

 

Thank you very much for these links, they are looking promissing. One additional question, maybe it is documented somewhere, but I could not find it.

 

Let´s assume the following rate limiting rule for the documentation is going to be implemented.

fwaccel dos rate add source cidr:192.168.2.0/24 pkt-rate 1000

There is one client in this network which is a privileged user and should be able to use the resources more frequently. In case the following rule is added.

fwaccel dos rate add source cidr:192.168.2.100/32 pkt-rate 1000

Will there be a conflict with the rules, will one rule overwrite the other, is there a longest-prefix matching? How could such an use case be realized?

 

Thanking you in advance

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events