This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dilian_Chernev
Collaborator
‎2023-08-22 12:11 PM

CP 16200 overloaded by "small" DDoS

Hi mates,

I have a problem with a CP 16200 running in cluster that have overloaded by small DDoS.Annotation 2023-08-22 153137.png

As you can see, connections are around 113k (limit is 200k, so aggressive aging is not activated), incoming bandwidth should be around 200Mbit/s and all 43 workers are at 100%. There are no interface drops, 4x SNDs are at about 30%.

Attack is TCP- HTTPS and all connections are out of state, so firewall is dropping them with First packet isn't SYN.

Devices are running R81.10 with JHF109 and following blades enabled:  Firewall, VPN, Mobile Access, Application Control, IPS, Identity Awareness, AntiBot, Monitoring.

Usually device is handling about 1Gbit traffic with 70k connections in normal days.
Recommendations in sk112241 are reviewed and applied but still device is almost not responding during such attack.

What could be the reason that it is so easy overloaded?

Thanks,

Dilian

0 Kudos
4 Replies
Daniel_3
Participant
‎2023-08-23 12:25 AM

Which steps from sk112241 did you apply?

I had the best results with aggressive aging, lower tcp start timeout (5 seconds) and malicious IP block. We also implemented penalty box recently. SYN Defender was also in use but it consumed way too much performance which lead to more impact.

Also make that drop optimization is enabled.

0 Kudos
Dilian_Chernev
Collaborator
‎2023-08-23 01:46 AM
In response to Daniel_3

I believe all of them without Network Quota and Geo Location. 

Connections are about 60% of maximum, so aggressive aging is not activated.
SYN defender is on, but maybe we should consider turning it off, as attack was not SYN flood.
Penalty box is enabled, was modified to 350 packets/s, now is lowered to 50.
Drop optimization is enabled.

0 Kudos
Daniel_3
Participant
‎2023-08-23 02:07 AM
In response to Dilian_Chernev

Ok, sounds like a good configuration already.

Overall the settings still might need ajdustments depending on the legitimate application traffic. It took us a few big hits to find the sweet spots for all the values for timeouts, packet rate etc.

Worst case scenario you need some anti-ddos solution (like cloud scrubbing or an on-premise anti-ddos appliance).

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-08-23 06:49 AM

If I had to take a wild guess, I'd say you have a very high percentage of traffic in F2F/slowpath due to how your blades are configured, which is saturating your workers.  Please post outputs of the Super Seven commands taken on the active cluster member (if applicable), ideally while the system is heavily loaded:

https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/td-p/4...

Could also be multiple elephant flows getting handled in F2F/slowpath, so try fw ctl multik print_heavy_conn to see all current elephant flows and also those detected in the last 24 hours to get some insight there,

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events