DDoS attack patterns and rate limiting

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

May the 4th (+4)
Navigating Paradigm Shifts in Cyber

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

Hi,

I'm working on implementing rate limiting rules to mitigate DDoS attacks. We are not expecting to be able to handle the brunt of a full scale attack, as we do have a DDoS service, however, I'd like to have some kind of mitigation on our end to deal with the "clean" traffic that the scrubbing center sends us.

I've been analysing the common patterns for DDoS and would like everyone's input on what they usually have configured on their appliances to mitigate this issue. I've checked the best practices for DDoS, as well as using the rate limiting features under sk112454, and I'm set to implement a few, but would like to know everyone's input on how they are using these features for DDoS attacks specifically.

Additionally, when dealing with fragmented TCP/UDP packets, the only defense available is, to either drop all fragments or allow fragmented packets? I've checked with tcpdump and we have a fairly large amount of fragmented traffic on the network (this will be investigated as well, but I suspect that the GRE tunnels to the scrubbing center are the culprit here).

Hope I'm not misunderstood with this post, my hope with this is to actually launch a discussing of the most common DDoS attack vectors and how we can mitigate/optimize our devices to deal with it.

My setup is, currently, R80.10 (to be upgraded for R80.30 before these rules are implemented) on a VSX gateway (CheckPoint 15400)

Thanks!