This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JiaMIn
Explorer
‎2020-02-29 03:27 PM
Jump to solution

DDOS defense

Hi  

I want to know how to defend the gateway of R80.30 from DDOS and whether the threshold of DDOS protocol can be defined.

Thanks & Regards

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion
Champion
‎2020-03-02 09:31 AM
Jump to solution

Hi @JiaMIn,

This applies to configuration of DOS/Rate Limiting for R80.20 and newer. Rate limiting is a defense against DoS (Denial of Service) attacks. This links describes the DoS/Rate Limiting system as implemented in R80.20 and newer, including the following features:

- Policy Rules
- IP Blacklist
- Block IP Fragments
- Block IP Options
- Penalty Box
- DoS Whitelist
- Penalty Box Whitelist

In general, these features solve separate problems, and are managed/configured separately. However be aware that there are some global settings that will affect the behavior of multiple features simultaneously.

To maximize performance, the DoS/Rate Limiting policy is enforced as early as possible in the packet flow. For most features this means it is enforced in SecureXL. Connection-based policy is the single exception (R80.20 and newer). This policy is enforced by the Firewall blade since this is where the related connection state is stored and managed.


How to configure Rate Limiting rules for DoS Mitigation (R80.20 and newer). More read here:

sk112454 - How to configure Rate Limiting rules for DoS Mitigation (R80.20 and newer)  

How to configure Rate Limiting rules for DoS Mitigation (R80.10 and older). More read here:

sk164472 - How to configure Rate Limiting rules for DoS Mitigation (R80.10 and older) 


➜ CCSM Elite, CCME, CCTE

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
‎2020-02-29 04:11 PM
Jump to solution

We have a Best Practice SK on this topic: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
We also sell appliances/services that specifically help with DDoS: https://www.checkpoint.com/products/ddos-protector/
0 Kudos
Jeff_Gao
Advisor
‎2020-03-01 02:49 AM
In response to PhoneBoy
Jump to solution

sk112241   Best Practices - DDoS attacks on Check Point Security Gateway

This will auto close secureXL

0 Kudos
Chris_Atkinson
Employee
Employee
‎2020-02-29 04:32 PM
Jump to solution

Further to @PhoneBoy excellent suggestions it's also helpful to do the basics at the network edge like routing unused public networks to null and applying infrastructure ACLs assuming you have an upstream border router(s).

0 Kudos
HeikoAnkenbrand
Champion
Champion
‎2020-03-02 09:26 AM
Jump to solution

 

➜ CCSM Elite, CCME, CCTE
0 Kudos
HeikoAnkenbrand
Champion
Champion
‎2020-03-02 09:31 AM
Jump to solution

Hi @JiaMIn,

This applies to configuration of DOS/Rate Limiting for R80.20 and newer. Rate limiting is a defense against DoS (Denial of Service) attacks. This links describes the DoS/Rate Limiting system as implemented in R80.20 and newer, including the following features:

- Policy Rules
- IP Blacklist
- Block IP Fragments
- Block IP Options
- Penalty Box
- DoS Whitelist
- Penalty Box Whitelist

In general, these features solve separate problems, and are managed/configured separately. However be aware that there are some global settings that will affect the behavior of multiple features simultaneously.

To maximize performance, the DoS/Rate Limiting policy is enforced as early as possible in the packet flow. For most features this means it is enforced in SecureXL. Connection-based policy is the single exception (R80.20 and newer). This policy is enforced by the Firewall blade since this is where the related connection state is stored and managed.


How to configure Rate Limiting rules for DoS Mitigation (R80.20 and newer). More read here:

sk112454 - How to configure Rate Limiting rules for DoS Mitigation (R80.20 and newer)  

How to configure Rate Limiting rules for DoS Mitigation (R80.10 and older). More read here:

sk164472 - How to configure Rate Limiting rules for DoS Mitigation (R80.10 and older) 


➜ CCSM Elite, CCME, CCTE