Create a Post
Showing results for 
Search instead for 
Did you mean: 

DDoS attack patterns and rate limiting


I'm working on implementing rate limiting rules to mitigate DDoS attacks. We are not expecting to be able to handle the brunt of a full scale attack, as we do have a DDoS service, however, I'd like to have some kind of mitigation on our end to deal with the "clean" traffic that the scrubbing center sends us.

I've been analysing the common patterns for DDoS and would like everyone's input on what they usually have configured on their appliances to mitigate this issue. I've checked the best practices for DDoS, as well as using the rate limiting features under sk112454, and I'm set to implement a few, but would like to know everyone's input on how they are using these features for DDoS attacks specifically.

Additionally, when dealing with fragmented TCP/UDP packets, the only defense available is, to either drop all fragments or allow fragmented packets? I've checked with tcpdump and we have a fairly large amount of fragmented traffic on the network (this will be investigated as well, but I suspect that the GRE tunnels to the scrubbing center are the culprit here).

Hope I'm not misunderstood with this post, my hope with this is to actually launch a discussing of the most common DDoS attack vectors and how we can mitigate/optimize our devices to deal with it.


My setup is, currently, R80.10 (to be upgraded for R80.30 before these rules are implemented) on a VSX gateway (CheckPoint 15400)



0 Kudos
2 Replies

Let's start with the official "Best Practices" guide on the topic:
I would actually consider moving to R80.40 and enabling Dynamic Workflows.
This will allow multiqueue to be enabled on all supported interfaces and allow the system to dynamically adjust the CoreXL split on the fly.
It will definitely help during a volume-based DDoS attack.

0 Kudos

I blocked certain top-hacking countries and DigitalOcean networks in SecureXL and I am very happy with the results. 😀

0 Kudos