Beruflich Dokumente
Kultur Dokumente
DDoS Protector
6.14
User Guide
Classification: [Protected]
© 2016 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on DDoS Protector
6.14 User Guide.
Revision History
Date Description
13 October 2016 Updated for 6.14.03 and improved formatting
File
In This Section:
Software Update .............................................................................................................9
Support ............................................................................................................................9
Configuration > Send to Device ....................................................................................10
Configuration > Receive from Device ..........................................................................10
Logfile > Show ...............................................................................................................10
Logfile > Clear ...............................................................................................................10
Logfile > Download .......................................................................................................11
Software List .................................................................................................................11
Software Update
Check Point may release updated versions of the appliance software. Upload to benefit from
enhanced functionality and performance.
If the upload is not successful, the current appliance software does not change. If the download is
successful, reset the appliance to implement the new version.
To upload software:
1. Select File > Software Update.
2. In Software version, enter the software version number as specified in the new software
documentation.
3. In the File field, enter the filepath. Or, click Browse to navigate to the file.
4. Select Enable New Version.
5. Click Set.
6. Click Device > Reboot Device.
7. Click Set.
Support
DDoS Protector can generate a text file with required CLI commands and their output, such as the
Client table and the ARP table.
You can download this file and send it to the Check Point Support Center.
Software List
The appliance can hold different software versions and their configuration files at the same time.
You can set which version is currently active. You can delete the inactive version.
Device
In This Section:
Reboot Device ...............................................................................................................12
Device Shutdown ..........................................................................................................12
Global Parameters .......................................................................................................13
Device Information .......................................................................................................13
Utilization > SME Utilization .........................................................................................14
Utilization > Device Resource Utilization ....................................................................15
License Upgrade ...........................................................................................................15
Forwarding Table ..........................................................................................................15
Port Mirroring ...............................................................................................................16
L2 Interface ...................................................................................................................19
Link Aggregation...........................................................................................................20
Jumbo Frames Settings ...............................................................................................23
Traffic Exclusion ...........................................................................................................24
Session Table ................................................................................................................24
IP Fragmentation ..........................................................................................................28
Device Overload Mechanism ........................................................................................28
High Availability ............................................................................................................29
Tunneling ......................................................................................................................33
IP Version Mode ............................................................................................................34
Dynamic Protocols ........................................................................................................35
Reboot Device
This feature reboots the appliance. Many changes are applied only after the appliance reboots.
Device Shutdown
To shut down an appliance:
1. Click Device > Device Shutdown.
2. Click Shutdown.
Global Parameters
To set the global appliance parameters:
1. Click Device > Global Parameters.
2. Configure the parameters, and click Set.
Global Description
Parameter
Description The general description of the appliance.
Name The user-assigned name of the appliance that shows in the windows describing
the appliance.
Boot Server The IP address of the BootP server. The appliance forwards BootP requests to
Address the BootP server and acts as a BootP relay.
BootP How many seconds the appliance waits before relaying requests to the BootP
Threshold server. This delay allows BootP Servers to answer first.
Device Information
Open the Device Information pane to see information about the appliance.
Click Device > Device Information.
Parameter Description
Parameter Description
Base MAC The MAC address of the first port on the appliance.
Resource Utilization
RE Resource Utilization
resource currently used.
Last 5 sec. Average Utilization The average use of resources in the last 5 seconds.
Last 60 sec. Average Utilization The average use of resources in the last 60 seconds.
License Upgrade
To upgrade the software license:
1. Click Device > License Upgrade.
2. Enter your new license key. (The earlier license key shows.)
3. Enter your throughput license key. (The earlier throughput license key shows.)
4. The license code is case sensitive.
5. Click Set.
6. In the Reset the Device pane, click Set. The reset may take a few minutes.
Forwarding Table
You can configure scanning ports using the Static Forwarding mode. In the Static Forwarding
mode, DDoS Protector functions as in promiscuous mode in the network, which means that the
appliance acts as a completely transparent network element.
Scanning ports have a one-to-one forwarding ratio, where the traffic that comes from the
receiving port is always sent out from its corresponding transmitting port. The ports are paired,
meaning one port receives traffic while another transmits traffic. The ports are defined in the
Forwarding Table.
When using the SYN Flood Protection filters, you must set the inbound and the outbound traffic to
operate in the Process mode.
You can assign the same Destination Port to more than one Source Port. For example, you can
define that Source Port 1 is associated with Destination Port 3 and also Source Port 2 is
associated with Destination Port 3.
Operation The operation mode that can be assigned to a pair of ports: Process or Switch.
Note: When you assign the same Destination Port to more than one Source Port, you must set
the Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that
direction is ignored. For example, Source Port 1 is associated with Destination Port 3 and also
Source Port 2 is associated with Destination Port 3. In that case, for the traffic in the opposite
direction, the Source Port is 3 and the Destination Port must be defined (typically it is 1 or 2).
Interface Grouping
When you install DDoS Protector between two L2 switches with multiple links (with Link
Aggregation, for example), a link failure of one L2 switch is not detected by the remote L2 switch,
because DDoS Protector continues to keep the link up. Interface Grouping shuts both endpoints of
a link if a failure is detected on one of the endpoints. The endpoints of the links are set by the
Static Forwarding table. Interface Grouping is configured globally for each appliance.
Port Mirroring
Port mirroring is supported only on DDoS Protector x412 models.
Port Mirroring enables the appliance to duplicate traffic from one physical port on the appliance to
another physical port on the appliance. This is useful when an intrusion detection system (IDS)
appliance is connected to one of the ports on the appliance. You can choose to mirror either
received and transmitted traffic, received traffic only, or transmitted traffic only. You can also
specify whether to duplicate the received broadcast packets.
To avoid high-bandwidth DoS and DDoS attacks, you can mirror the traffic (that arrives at the
DDoS Protector appliance) to a dedicated sniffer port. This allows collecting packet data during an
attack.
DDoS Protector User Guide 6.14 | 16
Device
DDoS Protector appliances can perform traffic-rate port mirroring only when the appliance is
under attack. Traffic-rate port mirroring is based on a specified traffic threshold. When the
threshold is reached, DDoS Protector starts copying traffic from the interface to its mirroring
output port. The process continues for the specified time, and then the copying process stops. For
example, if you have a single network segment connected between interfaces 1 and 2, whenever
traffic reaches the configured threshold, DDoS Protector copies the traffic arriving on interface 1
to interface 3.
Promiscuous Mode If Enabled, the appliance copies all traffic to the specified output
port. If Disabled (default), the appliance copies only the traffic
destined to the input.
Global Parameters
Use the Port Mirroring Global Parameters pane to set the parameters that apply globally for the
appliance, not for each pair of ports.
Parameter Description
Threshold Interval How long, in seconds, mirroring continues after the traffic rate falls
below the specified threshold.
Default: 30
Physical Interface
Use the Physical Interface pane to change the physical attributes of each port individually.
Duplex Specifies whether the port allows both inbound and outbound traffic (Full
Duplex) or one way only (Half Duplex).
Auto Negotiation Detects and configures the speed and duplex required for the interface.
L2 Interface
Use the L2 Interface pane to configure the administrative status and view settings for each
interface.
interface Type The interface type number assigned by the Internet Assigned
Numbers Authority (IANA).
Interface Last Change The value of System Up time at the time the interface entered its
current operational state. If the current state was entered prior to
the last re-initialization of the local network management
subsystem, then this value is zero (0).
ifInOctets Incoming Bytes The number of incoming octets (bytes) through the interface
including framing characters.
ifInDiscards Incoming The number of inbound packets chosen to be discarded even though
Discards no errors had been detected to prevent their being deliverable to a
higher-layer protocol. One possible reason for discarding such a
packet could be to free up buffer space.
Parameter Description
ifInErrors Incoming Errors For packet-oriented interfaces, the number of inbound packets that
contained errors preventing them from being deliverable to a
higher-layer protocol. For character-oriented or fixed-length
interfaces, the number of inbound transmission units that contained
errors preventing them from being deliverable to a higher-layer
protocol.
ifOutOctets Outgoing Bytes The total number of octets (bytes) transmitted out of the interface,
including framing characters.
OutUcastPkt Outgoing The total number of packets that higher-level protocols requested
Unicast Packets be transmitted, and which were not addressed to a multicast or
broadcast address at this sub-layer, including those that were
discarded or not sent.
outNUcastPkt Outgoing The total number of packets that higher-level protocols requested
Non-Unicast Packets be transmitted, and which were addressed to a multicast or
broadcast address at this sub-layer, including those discarded or
not sent.
Interface Speed The current bandwidth, in megabits per second, of the interface.
Link Aggregation
Use link aggregation, also called port trunking, to combine physical network links into a single
logical link for increased bandwidth and/or redundancy.
Note: DDoS Protector x06 platforms implement link aggregation via software and not at the
switch level. (This platform does not include a Layer 2 switch hardware component.) Therefore, on
this platform, you cannot define link aggregations as port mirroring participants.
Link aggregation, is a method of combining physical network links into a single logical link for
increased bandwidth and/or redundancy. With link aggregation, you can increase the capacity and
availability of the communications channel between appliances (both switches and end stations)
using existing Fast Ethernet and Gigabit Ethernet technology. This is performed by using a set of
multiple parallel physical links between two appliances grouped together to form a single logical
link.
DDoS Protector User Guide 6.14 | 20
Device
Link aggregation also provides load balancing where the processing and communications activity
is distributed across several links in a link aggregation, ensuring that no single link is saturated.
By taking multiple LAN connections and treating them as a unified, aggregated link, you can
achieve higher link availability and increased link capacity.
Link aggregation is supported according to the IEEE 802.3ad standard for link aggregation as
follows:
Link aggregation is supported only on links using the IEEE 802.3 MAC.
Link aggregation is supported only on point-to-point links.
Link aggregation is supported only on links operating in Full Duplex mode. AB: uppercase is
correct here
Link aggregation is permitted only among links with the same speed and direction.
The failure or replacement of a single link within a link aggregation will not cause failure from
the perspective of a MAC client.
MAC client traffic can be distributed across multiple links. To guarantee the correct ordering of
frames at the receiving-end station, all frames belonging to one session must be transmitted
through the same physical link.
For DDoS Protector, the algorithm for assigning frames to a physical port with the link
aggregation is based on hashing the Layer 3 destination IP address and Layer 4 destination port.
The link-aggregation feature lets you define up to five (5) link aggregations on an x06 platform,
and up to seven (7) trunks on x420 platform.
In DDoS Protector, all link-aggregation configurations are static.
Notes:
Only connected ports (Link Up) operating in Full Duplex mode AB: uppercase is correct here
can be attached to a link aggregation.
A port belonging to a link aggregation cannot be copied to another port (copy port).
Before attaching a physical port to a link aggregation, make sure that the port is not used in
any configuration (port mirroring, static forwarding). Management ports that have
preconfigured IP addresses cannot be assigned to a link aggregation. If you want to use a
management port in a link aggregation, you must first remove the IP address and only then
add it to the link aggregation.
When a link aggregation is part of a protected segment definition, Port Operation in the Port
Pairs table must be set to Process mode for both directions of this segment.
You cannot specify a port within a link aggregation as the source or destination of SSL
inspection.
Parameter Description
Default: Unattached
Traffic Exclusion
This feature is available only on x412 platforms.
You can specify whether the appliance passes through all traffic that matches no network policy
configured on the appliance.
If Traffic Exclusion is enabled, to inspect traffic that matches a Server Protection policy, you must
configure the Server Protection policy as a subset of the Network Protection policy.
Session Table
DDoS Protector includes a Session table, which tracks sessions bridged and forwarded by the
appliance.
Session Table Status Specifies whether the appliance uses the Session table.
Default: Enabled
Idle TCP-Session Aging Time The time, in seconds, that the Session table keeps idle TCP
sessions.
Values: 1 7200
Default: 100
Idle UDP-Session Aging Time The time, in seconds, that the Session table keeps idle UDP
sessions.
Values: 1 7200
Default: 100
Idle SCTP-Session Aging Time The time, in seconds, that the Session table keeps idle
SCTP sessions.
Values: 1 7200
Default: 100
Parameter Description
Idle ICMP-Session Aging Time The time, in seconds, that the Session table keeps idle
ICMP sessions.
Values: 1 7200
Default: 100
Idle GRE-Session Aging Time The time, in seconds, that the Session table keeps idle GRE
sessions.
Values: 1 7200
Default: 100
Idle Other-Protocol-Session Aging The time, in seconds, that the Session table keeps idle
Time sessions of protocols other than TCP, UDP, SCTP, ICMP, or
GRE.
Values: 1 7200
Default: 100
Session Table No Aging Mode Enables or disables session table aging mode. If enabled,
the Session Table and Flow Table will not be aged.
This parameter can be only configured if Session Table
lookup mode is L4 Dest Port.
Session Table Lookup Mode The layer of address information that is used to categorize
packets in the Session table.
Values:
Full L4 An entry exists in the Session table for each source IP,
source port, destination IP, and destination port combination of
packets passing through the appliance.
L4 Destination Port Enables traffic to be recorded based only on
the TCP/UDP destination port. This mode uses minimal Session table
resources (only one entry for each port that is secured).
Default: Full L4
Important: Check Point recommends that you always use
the Full L4 option. When Session Table Lookup Mode is
Layer 4 Destination Port, these protections do not work:
Anti Scanning
Connection Packet Rate Limit
Connection Rate Limit
HTTP Mitigator
HTTP Replies Signatures
Out-of-State protection
Server Cracking
SYN Flood protection
Parameter Description
Remove Session Table Entry at Specifies whether the appliance removes sessions from the
Session End Session Table after receiving a FIN or RST packet if no
additional packets are received on the same session within
the Remove Session Entry at Session End Timeout period.
Default: Enabled
Remove Session Entry at Session When Remove Session Entry at Session End is enabled, the
End Time time, in seconds, after which the appliance removes
sessions from the Session Table after receiving a FIN or
(This option is supported only if
RST packet if no additional packets are received on the
Remove Session Entry at Session
same session.
End is enabled.)
Values: 1 60
Default: 5
Send Reset To Server Status Specifies whether the DDoS Protector appliance sends a
RST packet to the destination of aged TCP sessions.
Values:
Enabled DDoS Protector sends reset a RST packet to the
destination and cleans the entry in the DDoS Protector Session table.
Disabled DDoS Protector ages the session normally (using short
SYN timeout, but the destination might hold the session for quite
some time.
Default: Disabled
Session-Table-Full The action that the appliance takes when the Session table is at full
Action capacity.
Values:
Bypass New Sessions The appliance bypasses new sessions until the Session
table has room for new entries.
Block New Sessions The appliance blocks new sessions until the Session table
has room for new entries.
Parameter Description
Incomplete How long, in seconds, the appliance waits for the three-way
TCP-Handshake Timeout handshake to be achieved and data payload for a new TCP session.
When the timeout elapses, the appliance deletes the session and, if
the Send Reset To Server option is enabled, sends a reset packet to
the server.
Values:
0 The appliance uses the specified Session Aging Time.
1 10 The TCP Handshake Timeout in seconds.
Default: 10
Source IP mask The source IP address used to define the subnet that you want to
present in the Session Table.
Dest IP mask The destination IP address used to define the subnet that you want to
present in the Session Table.
IP Fragmentation
In some cases, when the length of the IP packet is too long to be transmitted, the originator of the
packet, or one of the routers, transmitting the packet has to fragment the packet to multiple
shorter packets.
IP Fragmentation allows the appliance to forward fragmented IP packets. The appliance identifies
that all the fragments belong to same datagram and treats them accordingly in terms of
classification, load balancing and forwarding. The appliance does not reassemble the original IP
packet, but it forwards the fragmented datagrams to their destination, even if the datagrams
arrives to the appliance out of order.
With asymmetric routing, when the appliance does not see all fragmented packets, the appliance
drops uncompleted fragments.
Queueing-limit The percentage of IP packets that the appliance allocates for out of
ordered fragmented IP datagrams.
Values: 0 100
Default: 25
Aging The time, in seconds, that the appliance keeps the fragmented
datagrams in the queue.
Values: 1 255
Default: 1
High Availability
To support high availability (HA), you can configure two compatible DDoS Protector appliances to
operate in a two-node cluster.
To be compatible, both cluster members must be of the same platform, software version,
software license, throughput license, and Check Point signature file.
One member of the cluster is the primary; the other member of the cluster is the secondary. The
primary appliance is the appliance that appliance with the Pair Definition.
When you configure a cluster and submit the configuration, the newly designated primary
appliance configures the required parameters on the designated secondary appliance.
The members of a cluster work in an active-passive architecture.
When a cluster is created:
The primary and secondary appliances negotiate the active/passive status according to the
specified triggers and thresholds. If both appliance environments are nominal, the primary
appliance becomes the active member.
The primary appliance transfers the relevant configuration objects to the secondary appliance.
A secondary appliance maintains its own configuration for the appliance users, IP interfaces,
routing, and the port-pair Failure Mode (see Forwarding Table (on page 15)).
A primary appliance immediately transfers each relevant change to its secondary appliance. For
example, after you make a change to a Network Protection policy, the primary appliance
immediately transfers the change to the secondary appliance. However, if you change the list of
appliance users on the primary appliance, the primary appliance transfers nothing (because the
secondary appliance maintains its own list of appliance users).
The passive appliance periodically synchronizes baselines for BDoS and HTTP Mitigator
protections.
If a passive appliance does not detect the active appliance according to the specified Heartbeat
Timeout, the appliance switches to the active state (even though the peer might actually be in a
nominal situation).
These situations trigger the active appliance and the passive appliance to switch states (active to
passive and passive to active):
All links are identified as down on the active appliance according to the specified Link Down
Timeout and the peer appliance has at least one link up.
Optionally, the traffic to the active appliance falls below the specified Idle Line Threshold for
the specified Idle Line Timeout.
You issue the Switch Over command.
If the Enable Failback option is enabled (default: disabled), the secondary appliance switches
from active to passive after the secondary appliance detects that the primary-appliance
situation is nominal.
You cannot run many actions on a secondary appliance. These actions are available:
Switch the appliance state (active to passive and passive to active)
Break the cluster if the primary appliance is unavailable
Configure management IP addresses and routing
Configure the port-pair Failure Mode.
DDoS Protector User Guide 6.14 | 29
Device
Baseline Sync Interval The interval, in seconds, that the active appliance synchronizes
the BDoS and HTTP Mitigator baselines.
Values: 3600 86,400
Default: 3600
Heartbeat Timeout The time, in seconds, that the passive appliance detects no
heartbeat from the active appliance before the passive appliance
becomes active.
Values: 1 10
Default: 5
Link Down Timeout The time, in seconds, after all links to the active appliance are
identified as being down before the appliances switch states.
Values: 1 65,535
Default: 1
If a dead link or idle line is detected on both cluster members,
there is no switchover.
Switchover Sustain Timeout The time, in seconds, after a manual switchover that the cluster
members will not change states.
Values: 30 3600
Default: 180
Idle Line Detection Status Specifies whether the appliances switch states due to an idle line
detected on the active appliance.
Default: disable
If an idle line is detected on both cluster members, there is no
switchover.
Parameter Description
Idle Line Timeout The time, in seconds, with line bandwidth below the Total BW
Threshold that triggers a switchover when Idle Line Detection
Status is enable.
Values: 3 65,535
Default: 10
If Idle Line Detection Status is disable, this parameter is ignored.
Enable Failback Specifies whether the secondary appliance can automatically fail
back to the primary.
Default: disable
MNG-1 Peer IP address The IP address of the MNG-1 port on the peer appliance.
MNG-2 Peer IP address The IP address of the MNG-2 port on the peer appliance.
Switch Over
To switch over to the peer appliance:
1. Click Device > High Availability > Switch Over.
2. Click Set.
Reset Secondary
You can reset the secondary appliance when the appliance role is primary.
Tunneling
Carriers, service providers, and large organizations use various tunneling protocols to transmit
data from one location to another. This is done using the IP network so that network elements are
unaware of the data encapsulated in the tunnel.
Tunneling implies that traffic routing is based on source and destination IP addresses. When
tunneling is used, IPS appliances and load balancers cannot locate the relevant information
because their decisions are based on information located inside the IP packet in a known offset,
and the original IP packet is encapsulated in the tunnel.
To provide a carrier-grade IPS/DoS solution, DDoS Protector inspects traffic in tunnels,
positioning DDoS Protector in peering points and carrier network access points.
You can install DDoS Protector in different environments, which might include encapsulated
traffic using different tunneling protocols. In general, wireline operators deploy MPLS and L2TP
for their tunneling, and mobile operators deploy GRE and GTP.
DDoS Protector can inspect traffic that may use various encapsulation protocols. In some cases,
the external header (tunnel data) is the data that DDoS Protector needs to inspect. In other cases,
DDoS Protector needs to inspect the internal data (IP header and even the payload). You can
configure DDoS Protector to meet your specific inspection requirements.
Changing the configuration of this feature takes effect only after a appliance reset.
DDoS Protector User Guide 6.14 | 33
Device
To configure tunneling:
1. Click Device > Tunneling.
2. Configure the parameters.
3. Click Set.
Parameter Description
Apply Black and White List Rules to Specifies whether the appliance apply Black List and White
the Encapsulated Headers List rules to the encapsulated headers.
Default: Disabled
Inspect Encapsulated GRE Traffic Specifies whether the appliance inspects this type of traffic.
Default: Disabled
Inspect Encapsulated GTP Traffic Specifies whether the appliance inspects this type of traffic.
Default: Disabled
Inspect Encapsulated L2TP Traffic Specifies whether the appliance inspects this type of traffic.
Default: Disabled
Inspect VLAN (802.1Q) and MPLS Specifies whether the appliance inspects this type of traffic.
Traffic
Default: Disabled
You can configure the appliance to inspect the traffic using
the common Layer 2 tunneling protocols, VLAN (802.1Q) and
MPLS. Inspecting these types of L2 tunnels, as part of the
protection criteria, is essential in environments such as for
Managed Security Service Providers (MSSP).
Inspect Encapsulated IP-in-IP Specifies whether the appliance inspects this type of traffic.
Traffic
Default: Disabled
Bypass IPSec Traffic Specifies whether the appliance bypasses IPsec traffic (that
is, whether the appliance passes-through IPsec traffic).
Default: Enabled
IP Version Mode
Use the IP Version Mode pane to set the IP version to IPv4 and IPv6 or only to IPv4.
Important: The ipv4and6 option consumes more memory than the ipv4 option! If you select
ipv4and6, you must perform a memory check before rebooting the appliance (Services > Tuning >
Memory Check > Perform Test). When you click Perform Test, a message is displayed, which
notifies you whether there is enough memory on the appliance, and, if not, how much memory is
required. If there is not enough memory, reduce the memory of modules that you are not using.
Dynamic Protocols
ns.
Dynamic application is an application that has multiple connections belonging to the same
session. For example, FTP has Control Session and Data Session, SIP has Signaling sessions,
Data sessions (RTP) and the Control sessions (RTCP).
In some scenarios, the dynamic sessions should be in the Session Table for a longer time than
regular sessions. In VoIP, SIP, and H.255, for example, there may be a period with no traffic,
however, the call is still active, and the session should not age.
You may configure different aging time for various dynamic applications and configure different
policies for different connections of the same session. In FTP, for example, you can set one policy
for the FTP data and another policy for the FTP control.
The default status for all Dynamic Protocols, other than SIP is enabled.
In Device > Dynamic Protocols > General, you can set the aging time for these Dynamic Protocols:
FTP
TFTP
Rshell
Rexec
H.225
SIP
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
Parameter Description
Data Session Aging Time The Data Session Aging Time value, in seconds.
Default: 0
Parameters Description
Control Session Aging Time (sec) The Control Session Aging Time, in seconds.
Default: 0
Error Session Aging Time (sec) The Error Session Aging Time, in seconds.
Default: 0
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
H.245 Session Aging Time The H.245 Session Aging Time, in seconds.
Default: 0
Signaling Session Aging Time The Signaling Session Aging Time, in seconds.
Default: 20
RTCP Session Aging Time The RTCP Session Aging Time, in seconds.
Default: 0
Parameters Description
SIP TCP Segments Aging When SIP runs over TCP and packets are segmented, the SIP TCP
Time Segments Aging Time parameter specifies how long the
appliance keeps the packet.
Default: 5
Services
In This Section:
Tuning ............................................................................................................................39
Signaling........................................................................................................................48
Diagnostics ....................................................................................................................51
Syslog Reporting ...........................................................................................................57
Daylight Saving .............................................................................................................61
Management Interfaces ...............................................................................................61
Event Log.......................................................................................................................64
Network Time Protocol (NTP) ......................................................................................65
RADIUS ..........................................................................................................................65
SMTP .............................................................................................................................67
DNS Client Parameters ................................................................................................68
Auditing .........................................................................................................................68
Tuning
Classifier Tuning
Use the Classifiers Tuning pane to view and edit the Classifier tuning parameters. The changes
take effect after the reset.
Note: Check Point strongly recommends that you run appliance tuning only after consulting with
the Check Point Support Center.
Network Table The maximum number of entries in the table for ranges.
Values: 32 10,000
Default: 256
Discrete IP Addresses The maximum number of entries in the table for IP addresses that are
Per Network allocated to a network.
Values: 16 1024
Default: 64
Parameter Description
Subnets Per Network The maximum number of entries in the table for network subnets.
Values: 16 256
Default: 64
MAC Groups Table The maximum number of entries in the table for MAC groups.
Values:16 2048
Default: 128
Filter Table The maximum number of entries in the table for basic filters.
Values:512 2048
Default: 512
AND Group Table The maximum number of entries in the advanced filters table for AND
groups.
Values: 256 2048
Default: 256
OR Group Table The maximum number of entries in the advanced filters table for OR
groups.
Values: 256 2048
Default: 256
Application port Groups The maximum number of entries in the table for application port
groups.
Values: 32 2000
Default: 512
Maximal number of attacks The maximum number of user-configurable IPS signatures. DDoS
to be defined by user Protector can store up to 500 concurrent RSA signatures.
Values: 10 10,000
Default: 100
Maximal number of srcIPs in The maximum number of hosts that the Suspend table is able to
Suspend Table block simultaneously. This value affects the abilities of other
protections, such as Anti-Scanning and SYN protection.
Values: 1000 100,000
Default: 10,000
Maximal number of Server The maximum number of entries in the Server Protection policy.
Protection servers Table
Values: 100 10,000
Default: 350
Counters Source Table The maximum number of sessions in which a source address is
tracked.
Some attack signatures use thresholds per source for activation.
The Counter Source Table counts the number of times traffic from
a specific source matches a signature. When the number of
packets sent from a particular source exceeds the predefined
limit, it is identified as an attack.
Values: 100 65,536
Default: 65,536
Counters Target Table The maximum number of sessions in which a Destination address
is tracked.
Some attack signatures use thresholds per destination for
activation. The Counter Target Table counts the number of times
traffic to a specific destination matches a signature. When the
number of packets sent to a particular destination exceeds the
predefined limit, it is identified as an attack.
Values: 100 65,536
Default: 65,536
Parameter Description
Counters Source & Target The maximum number of sessions in which Source and
Table Destination addresses are tracked.
Some signatures use thresholds per source and destination for
activation. The Counter Source & Target Table counts the number
of times traffic from a specific source to a specific destination
matches a signature. When the number of packets sent from a
particular source to a particular destination exceeds the
predefined limit, it is identified as an attack.
Values: 100 65,536
Default: 65,536
Counters DHCP Table The number of MAC addresses to check for IP requests.
The DHCP Discover table detects attacks by counting the IP
requests for each MAC address. The requests are made using
Dynamic Host Configuration Protocol. When the number of IP
requests for a particular MAC address exceeds the predefined
limit, it is identified as an attack.
Values: 100 64,000
Default: 100
Counters Reports for all The maximum number of entries for reports on active concurrent
counters Tracking Signatures attacks.
Values: 100 64,000
Default: 20,000
Counters Cracking The maximum number of entries for concurrent active Server
Protection Cracking protections.
When the Server Cracking protection feature is enabled, DDoS
Protector uses one entry in this table whenever DDoS Protector
receives a response from the server that can indicate a potential
Server Cracking attack. The entry includes the IP address of the
potential attacker, the protected server, and the protocol. The
entry remains in use as long as DDoS Protector receives such
server responses.
Values: 100 65,536
Default: 100
Maximal number of entries The maximal number of entries in the New Count Per Filter table,
in NCPF table which the DoS shield mechanism uses.
Values 100 16,000
Default 10,000
Parameter Description
Maximal number of The maximum number of source IP addresses that the appliance
Anti-Scanning IP pairs Table stores for anti-scanning purposes.
Values: 10,000 1,000,000
Default: 50,000
HTTP Authentication Table The number of sources in the HTTP Authentication table.
Size
DDoS Protector uses the HTTP Authentication table in HTTP Flood
profiles and the HTTP Authentication feature in a SYN Protection
profile.
Values: 500,000 2,000,000
Default: 2,000,000
TCP Authentication Table The number of sources in the TCP Authentication table.
Size
DDoS Protector uses the TCP Authentication table for the Safe
Reset Authentication Method feature in SYN Protection profiles.
Values: 500,000 2,000,000
Default: 2,000,000
For x412 platforms, the value is fixed at the default 2,000,000, and
cannot be tuned.
Maximal number of DNS The maximum number of configurable DNS Flood Protection
Protection policies policies.
Values: 1 50
Default: 10
Device Tuning
Use the Device Tuning pane to view and edit the appliance tuning parameters. The changes take
effect after the reset.
Note: Check Point strongly recommends that you run appliance tuning only after consulting with
the Check Point Support Center.
Parameter Description
IP Fragmentation Table The maximum number of IP fragments that the appliance stores.
Values: 1 256,000
Default: 10240
Session Table The maximum number of sessions that the appliance can track.
Values per model:
x06 20 2,000,000
x412 20 4,000,000
Session Resets Table The maximum number of sessions that the appliance tracks to send
RESET when Send Reset To Server is enabled in the Session table.
Values: 1 10,000
Default: 1000
Pending Table The maximum number of new simultaneous dynamic sessions the
appliance can open.
Values: 16 16,000
Default: 1024
SIP Call Table The maximum number of SIP calls the appliance can track.
Values: 16 256,000
Default: 1024
TCP Segmentation Table The maximum number of TCP Segments. This parameter is used
when SIP Protocol is enabled and SIP is running over TCP.
Values: 1 32,768
Default: 256
Memory Check
To eliminate the chance of causing a memory allocation problem, DDoS Protector can review the
settings in configured tables. Each time you update a value for a certain table, it is possible to
check if there is enough free memory for the requested value.
Note: Check Point strongly recommends that you run appliance tuning only after consulting with
the Check Point Support Center.
DDoS Protector User Guide 6.14 | 45
Services
SYN Protection Table The number of entries in the SYN Protection Table that stores data
regarding the delayed binding process. An entry in the table exists
from the time the client completes the handshake until the
handshake is complete.
The number of entries in the SYN Protection Table after reset.
Values: 10 500,000
Default: 200,000
SYN Protection Requests The number of entries in SYN Protection Requests Table that
Table stores the ACK or data packet that the client sends, until the
handshake with the server is complete and the packet is sent to the
server.
The number of entries in SYN Protection Requests Table after
reset.
Values: 10 500,000
Default: 200,000
Parameter Description
SYN Protection Attack The number of entries in the table that stores active triggers that
Detection Entries is, the destination IP addresses and destination ports in SYN Flood
Protection profiles.
Values: 1000 20,000
Default: 1000
Note: There are several reasons that can cause the table to
become full, including:
Too many services in the protected networks This can happen
in extremely large networks.
Too many protected services If there are too many services
running in the protected network, or if all TCP ports are
protected by SYN Protection, this can cause problems in some
networks. For example, ones that use multiple TCP ports to
provide a service such as gaming applications.
A vertical TCP-SYN flood If attackers are using an attack
technique that repeatedly performs high-rate scans on the
entire protected range.
Possible solutions for a full table:
Apply the protection only to networks that have protected
services and not to normal enterprise host computers.
Remove some of the protected protocols If you are
unnecessarily protecting all TCP ports by SYN protection,
remove SYN protection and apply the policy only on relevant
services.
Increase the table size Be aware that increasing the table size
consumes memory allocation and you must reboot the system.
SYN Statistics Entries The number of entries in the SYN Flood Statistics table.
Values: 1000 20,000
Default: 1000
Diagnostics Tuning
Use the Diagnostics Tools Tuning pane to set the number of Diagnostics policy entries in the
tuning table to save memory and limit the policy size.
The changes take effect after the reset.
Note: Check Point strongly recommends that you run appliance tuning only after consulting with
the Check Point Support Center.
Signaling
DDoS Protector can expose situational signals through the DDoS Protector SOAP API and attack
data to specified syslog servers. A Network Operation Center (NOC) or Security Operation Center
(SOC) situated in the cloud can use the signals to monitor and control attack situations.
For example, if a DDoS Protector appliance, working as customer premises equipment (CPE), is
configured to detect low-volume attacks, when a DoS attack starts, the signals will alert the NOC
or SOC that an attack has started. Then, using the information, the NOC or SOC can divert traffic
through additional mitigation appliances in the cloud, and thus, prevent pipe saturation.
Typically, in the context of DDoS Protector signaling, NOCs are carriers, and SOCs are
managed-security-service providers (MSSPs).
When signaling is enabled:
DDoS Protector exposes situational data through its SOAP interface. The data includes
appliance-health information, traffic statistics, and management information. Under normal
circumstances that is, when there is no attack, the SOAP queries and responses get
through. However, during attacks, the pipe may be saturated, and the SOAP queries and
responses get lost.
When DDoS Protector detects an attack, DDoS Protector sends signals to a specified syslog
server. The signals include the attack events and, optionally, additional attack data.
For information on the SOAP API and syslog signals, see the DDoS Protector Signaling API
Integration Guide.
You configure signaling policies to send signals to a syslog server configured in the DDoS
Protector appliance. The configuration of each signaling policy specifies the Network Protection
policies, Server Protection policies, and protection types.
Signaling Global
Use the Global Parameters pane to enable or disable signaling.
Signaling Policies
Use the Signaling Policies pane to configure signaling policies.
Default: All
Default: All
Parameter Description
Customer Name The name of the customer, which is included in the alert
messages.
Maximum characters: 32
Customer Description The description of the customer, which is included in the alert
messages. This description can include, for example, details of
the specific appliance or environment.
Maximum characters: 100
Pipe Size The total size, in Mbps, of the ISP link of the customer. DDoS
Protector uses this value to calculate the pipe-utilization
percentage, which is included in attack alerts.
Syslog Server The syslog server to which DDoS Protector sends the attack alert
signals.
Source Groups
Source Group Configuration for Network Policies
Use the Source Group Configuration for Network Policies pane to configure Network-Policy
Source Groups for the signaling policy.
Diagnostics
Capture
Diagnostics Capture Parameters
The Traffic Capture tool captures packets that enter the appliance, leave the appliance, or both.
The captured traffic is in TCPDUMP format. You can download the captured packets, and analyze
DDoS Protector User Guide 6.14 | 51
Services
the traffic using Unix snoop or various tools. For remote administration and debugging, you can
also send captured traffic to a terminal (CLI, Telnet, and SSH). You can specify where the
appliance captures packets to get a better understanding of the traffic flow especially if the
appliance manipulates the packets due to NAT, traffic from a VIP to a real server, and so on.
Notes:
To see the actual timestamp of the packets in the files that the diagnostic packet-capture tool
produces, in the packet analyzer (for example, Wireshark), you may need to modify the format
of the time display. The timestamp in the packets in the files that the diagnostic
packet-capture tool produces is always UTC.
The diagnostic packet-capture tool cannot capture packets that pass through the appliance as
the result of Traffic Exclusion. Traffic Exclusion is when DDoS Protector passes through all
traffic that matches no network policy configured on the appliance.
The diagnostic packet-capture tool truncates packets longer than 1619 bytes (regardless of the
configuration for jumbo frames).
The Traffic Capture tool uses the following format for packet capture files:
capture_<Device Name>_ddMMyyyy_hhmmss_<file number>.cap
Parameter Description
Trace
Debug Trace Parameters
The Trace-Log tool provides data on the traffic flow within the appliance. The feature is intended
for debugging purposes only.
Enabling this feature may cause severe performance degradation.
DDoS Protector uses the following format for Trace-Log files:
trace_log_<Device Name>_ddMMyyyy_hhmmss_<file number>.txt
Parameter Description
Output To Terminal Specifies whether the appliance sends Trace-Log data to the terminal.
Values: Enabled, Disabled
Default: Disabled
Output To Syslog Specifies whether the appliance sends Trace-Log data to a syslog
Server server.
Values: Enabled, Disabled
Default: Disabled
Date Specifies whether the date that the message was generated is included in the
Trace-Log message.
Time Specifies whether the time that the message was generated is included in the
Trace-Log message.
Platform Name Specifies whether the platform MIB name is included in the Trace-Log
message.
File Name Specifies whether the output file name is included in the Trace-Log message.
Line Number Specifies whether the line number in the source code is included in the
Trace-Log message.
Module Name Specifies whether the name of the traced module is included in the Trace-Log
message.
Task Name Specifies whether the name of the specific task of the d module is included in
the Trace-Log message.
Trace Modules
To help pinpoint the source of a problem, you can specify which DDoS Protector modules the
Trace-Log feature works on and the log severity for each module. For example, you can specify
that the Trace-Log feature traces only the Health Monitoring module to understand why a specific
health check fails.
Status Specifies whether the Trace-Log feature is enabled for the module.
Severity The lowest severity of the events that the Trace-Log includes for this module.
The default varies according to module.
Trace Files
DDoS Protector can store the output of the diagnostic tools in RAM and in the CompactFlash.
If the appliance is configured to store the output in the CompactFlash, when the data size in RAM
reaches its limit, the appliance appends the data chunk from RAM to the file on the CompactFlash
drive. For each enabled diagnostic tool, DDoS Protector uses two temporary files. When one
temporary file reaches the limit (1 MB), DDoS Protector stores the information in the second
temporary file. When the second temporary file reaches the limit (1 MB), DDoS Protector
overwrites the first file, and so on. When you download a CompactFlash file, the file contains both
temporary files.
Use the Diagnostic Tools Files Management pane to download or delete files from the RAM or
CompactFlash.
Action The action that you can take on the data stored.
The values for Action are:
download Starts the download process of the selected data.
delete Deletes the selected file.
2. From the Action column, select the action, Download or Delete.
3. Follow the instructions.
Diagnostics Policies
In most cases, there is no need to capture all the traffic passing through the appliance. Using
diagnostic policies, the appliance can classify the traffic and store only the required information.
To reuse the policy, edit the policy and set it again.
Index The number of the policy in the order in which the diagnostics tool
classifies (that is, captures) the packets.
Default: 1
VLAN Tag Group The VLAN Tag group whose packets the policy classifies (that is,
captures).
Source The source IP address or predefined class object whose packets the
policy classifies (that is, captures).
Default: any The diagnostics tool classifies (that is, captures)
packets with any source address.
Outbound Port Group The port group whose outbound packets the policy classifies (that is,
captures).
You cannot set the Outbound Port Group when the value of the
Trace-Log Status parameter is Enabled.
Inbound Port Group The port group whose inbound packets the policy classifies (that is,
captures).
Parameter Description
Service Type The service type whose packets the policy classifies (that is, captures).
Moved May 2014 from Service row.
Values:
None
Basic Filter
AND Group
OR Group
Default value: None
Service The service whose packets the policy classifies (that is, captures).
Destination MAC Group The Destination MAC group whose packets the policy classifies (that is,
captures).
Source MAC Group The Source MAC group whose packets the policy classifies (that is,
captures).
Maximal Number of The maximal number of packets the policy captures. Once the policy
Packets captures the specified number of packets, it stops capturing traffic. In
some cases, the policy captures fewer packets than the configured
value. This happens when the appliance is configured to drop packets.
Maximal Packet Length The maximal length for a packet the policy captures.
Capture Status Specifies whether the packet-capture feature is enabled in the policy.
Values: Enabled, Disabled
Default: Disabled
Trace-Log Status Specifies whether the Trace-Log feature is enabled in the policy.
Values: Enabled, Disabled
Default: Disabled
You cannot set the Outbound Port Group when the value of the
Trace-Log Status parameter is Enabled.
Syslog Reporting
Event traps can be mirrored to up to five syslog servers. For each DDoS Protector appliance, you
can configure the appropriate information. Any traps generated by the appliance will be mirrored
to the specified syslog servers.
Syslog Server Operational Status Specifies whether the syslog server is enabled.
Default: Enabled
Parameter Description
Syslog Server Facility The type of appliance of the sender. This is sent with syslog
messages.
You can use this parameter to:
Distinguish between different appliances
Define rules that split messages
Values:
Authorization Messages
Clock Daemon
Clock Daemon2
FTP Daemon
Kernel Messages
Line Printer Subsystem
Local 0
Local 1
Local 2
Local 3
Local 4
Local 5
Local 6
Local 7
Log Alert
Log Audit
Mail System
Network News Subsystem
NTP Daemon
Syslogd Messages
System Daemons
User Level Messages
UUCP
Default value: Local Use 6
Parameter Description
Syslog Server Protocol The protocol that the appliance uses to send syslog
messages.
Values:
UDP The appliance sends syslog messages using UDP.
That is, the appliance sends syslog messages with no
verification of message delivery.
TCP The appliance sends syslog messages using TCP.
That is, the appliance verifies the message delivery. The
appliance holds undelivered messages in a backlog. As
soon as the connection to the syslog server is
re-established, the appliance sends them. If the backlog
is full (100 messages, non-configurable), the appliance
replaces lower-priority messages with higher-priority
messages (FIFO).
TLS The appliance sends syslog messages using TCP
with Transport Layer Security (TLS) and uses the CA
certificate specified in the CA Certificate Name field. That
is, the appliance verifies message delivery. The appliance
holds undelivered messages in a backlog. As soon as the
connection to the syslog server is re-established, the
appliance sends them. If the backlog is full (100
messages, non-configurable), the appliance replaces
lower-priority messages with higher-priority messages
(FIFO).
Default: UDP
Report notification of lost syslog messages to your network
administrator.
Syslog Server CA Certificate The name of the CA certificate in the Certificate Table that the
appliance uses to send syslog messages when TLS is
selected in the Syslog Server Protocol field.
Syslog Security Sending Specifies whether the appliance sends security-event reports
to the syslog server. Security events include all events
related to attack detection and mitigation: start, ongoing,
occurred, sampled, and terminated.
Default: Enabled
Parameter Description
Syslog User Audit Sending Specifies whether the appliance sends audit-event reports to
the syslog server. Audit events include all events related to
user operations, for example, login attempts and
configuration changes.
Default: Enabled
Daylight Saving
DDoS Protector supports daylight savings time. You can configure the daylight savings time start
and end dates and times. During daylight savings time, the appliance automatically adds one hour
to the system clock. The appliance also specifies whether it is on standard time or daylight saving
time.
When the system clock is manually configured, the system time is changed only when daylight
saving time starts or ends. When daylight saving time is enabled during the daylight saving time
period, the appliance does not change the system time.
Daylight Saving Begins[dd/mm:hh] The start date and time for daylight saving time.
Daylight Saving Ends[dd/mm:hh] The end date and time for daylight saving time.
Management Interfaces
Telnet
You can use Telnet to access the DDoS Protector.
Use the Telnet Parameters pane to configure the connectivity settings.
Parameters Description
Telnet Session Timeout The period of time, in minutes, the appliance maintains a
connection during periods of inactivity. If the session is still
inactive when the predefined period ends, the session
terminates.
Values: 1 120
Default: 5
To avoid affecting appliance performance, the timeout is
checked every 10 seconds. Therefore, the actual timeout can be
up to 10 seconds longer than the configured time.
Telnet Authentication Timeout The timeout, in seconds, required to complete the authentication
process.
Values: 10 60
Default: 30
Web Server
Web Server Parameters
Use the Web Server Parameters pane to configure Web server connectivity for Web Based
Management (WBM).
Web Server Status Specifies whether to enable access to the Web server.
Web Authentication Timeout The idle time, in seconds, after which DDoS Protector requests a
Web Based Management user to log in again. This applies also to
Secure Web users.
Default: 300
Parameter Description
Web Help Location The location (path) of the Web help files.
Secured Web Port The port through which HTTPS gets requests.
Default: 443
Secured Web Status Specifies whether to enable secured access to the Web server.
Secured Web Certificate File The SSL Certificate that is used by the HTTPS server encryption.
Caution: For security reasons, Check Point recommends that you
replace the out-of-the-box certificate issued by Check Point with a
certificate issued by a Certificate Authority (CA) of your choice.
Web Services
Use the Web Services pane to enable or disable Web Services.
The management port link must be up to change these settings.
SSL
Weak Ciphers
Configure whether a appliance can use weak ciphers. These are management connections over
secure protocols with ciphers shorter than 128 bits.
SSH
Secure Shell Parameters
SSH (Secure Shell) is a protocol for secure remote connections and network services, over an
insecure network. Using this feature enables a secure alternative to Telnet connections, and lets
you configure the appliance through the Web Based Management.
SSH Port The source port for the SSH server connection.
Default: 22
SSH Session Timeout The period of time, in minutes, the appliance maintains a connection
during periods of inactivity. If the session is still inactive when the
predefined period ends, the session terminates.
Values: 1 120
Default: 5
To avoid affecting appliance performance, the timeout is checked
every 10 seconds. Therefore the actual timeout can be up to 10
seconds longer than the configured time.
Event Log
You can show a log of the events on the appliance.
NTP polling Interval The interval, in seconds, between time queries sent to the NTP server.
Default: 64
NTP Server Port The access port number for the NTP server.
Default: 123
RADIUS
DDoS Protector provides additional security and authenticates the users who access a appliance
for management purposes. With RADIUS authentication, you can use RADIUS servers to
determine whether a user is allowed to access appliance management using CLI, Telnet, SSH or
Web Based Management. You can also select whether to use the appliance User Table when
RADIUS servers are not available.
Note: The DDoS Protector managed appliances must have access to the RADIUS server and must
allow appliance access.
Parameter Description
Main Radius Port No. The access port number of the primary RADIUS server.
Values: 1645, 1812
Default: 1645
Main Radius Secret The authentication password for the primary RADIUS server.
Maximum characters: 64
When DefensePro stores the Secret, it is encrypted. Therefore, the
length of the Secret in the configuration file is longer than the
number of characters that you configured.
Backup Radius Port No. The access port number of the backup RADIUS server.
Values: 1645, 1812
Default: 1645
Backup Radius Secret The authentication password for the backup RADIUS server.
Maximum characters: 64
When DefensePro stores the Secret, it is encrypted. Therefore, the
length of the Secret in the configuration file is longer than the
number of characters that you configured.
Radius Timeout The time, in seconds, that the appliance waits for a reply from the
RADIUS server before a retry, or, if the Retries value is exceeded,
before the appliance acknowledges that the server is off line.
Default: 1
Radius Retries The number of connection retries to the RADIUS server, after the
RADIUS server does not respond to the first connection attempt.
After the specified number of Retries, if all connection attempts have
failed (Timeout), the backup RADIUS server is used.
Default: 2
Parameter Description
Radius Client Life time The time, in seconds, for the client authentication. After the client
lifetime expires, the appliance re-authenticates the user.
Default: 30
SMTP
You can configure the appliance to send information messages via e-mail to appliance users. This
feature can be used for sending trap information via e-mail. When you configure appliance users,
you can specify whether an individual user should receive notifications via e-mail and the minimal
event severity reported via SNMP traps and e-mail. The user will receive traps of the configured
severity and higher.
The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP
notifications are enabled globally for the appliance.
For example, you can optimize the appliance mailing process to gather security and system
events. It sends them in a single notification message when the buffer is full, or when a timeout of
60 seconds expires.
To receive e-mails about errors, you need to set email address and Severity level in the Users
Table for each user.
SMTP Alternate Server An IP address of an alternative SMTP Server. The alternate SMTP
Address server is used when SMTP connection cannot be established
successfully with the main SMTP server, or when main SMTP
server closed the connection. The appliance tries to establish
connection to the main SMTP server, and starts re-using it when
available.
Own Email Address The mail address that appears in the Sender field of e-mail
messages generated by the appliance, for example
appliance1@domain.com
SMTP Status Specifies whether the e-mail client is enabled, which supports
features that are related to sending e-mail messages.
Default: disable
Send emails On Errors Specifies whether the appliance sends notifications via e-mail.
Default: Disable
DNS Client Specifies whether the DDoS Protector appliance operates as a DNS client
to resolve IP addresses.
Values: Enabled, Disabled
Default: Disabled
Primary DNS Server The IP address of the primary DNS server to which DDoS Protector sends
queries.
Alternate DNS Server The IP address of the alternative DNS to which DDoS Protector sends
queries.
Auditing
Configuration Auditing is the process of logging every configuration change and activity into a log
server. When Configuration Auditing is enabled, the appliance tracks the changes made to the
configuration by sending a SNMP trap and syslog message (if syslog is enabled and configured).
Configuration Auditing can be enabled or disabled for all users and all management interfaces.
To prevent overloading the appliance and prevent degraded performance, the feature is disabled
by default.
Router
In This Section:
IP Router .......................................................................................................................70
Routing Table ................................................................................................................72
ARP Table ......................................................................................................................73
IP Router
Operating Parameters
Use the IP Router Parameters pane to monitor, add, and edit router settings.
Inactive ARP Timeout The time, in seconds, that inactive ARP cache entries can remain
in the ARP table before the appliance deletes them. If an ARP
cache entry is not refreshed within a specified period, it is
assumed that there is a problem with that address.
Default: 60,000
ARP Proxy Specifies whether the appliance responds to ARP requests for
nodes located on a different direct sub-net. (The appliance
responds with its own MAC address.)
Values:
Enabled The appliance responds to all ARP requests.
Disabled The appliance responds only to ARP requests for
its own IP addresses.
Default: Disabled
ICMP Error Messages Specifies whether ICMP error messages are generated.
Interface Parameters
Use the IP Router Parameters pane to monitor, add, and edit router settings.
To configure an interface:
1. Select Router > IP Router > Interface Parameters.
To add an entry, click Create.
To edit an entry, click the entry link in the table.
2. Configure the parameters, and click Set.
Parameter Description
Fwd Broadcast Specifies whether the appliance forwards incoming broadcasts to this
interface.
Broadcast Addr Specifies whether to fill the host ID in the broadcast address with ones
or zeros.
Advert. Address The destination IP address for multicast Router Advertisements sent
from the interface. Possible values are the all-systems multicast
address, 224.0.0.1, or the limited-broadcast address, 255.255.255.255.
Max Advert. Interval The maximum time, in seconds, between multicast Router
Advertisements from the interface. Possible values are between the
Minimum Advert Interval defined below and 1800 seconds.
Parameter Description
Min Advert. Interval The minimum time, in seconds, between sending unsolicited multicast
Router Advertisements from the interface. Possible values are
between 3 seconds and the maximum interval defined above. The
default value is 0.75 of the Maximum Interval.
Advert. Lifetime The maximum time, in seconds, the advertised addresses are
considered valid. Must be no less than Maximum Interval defined
above, and no greater than 9000 seconds. Default value is three times
the Maximum Advert Interval.
Preference Level The preference level of the address as a default router address,
relative to other router addresses on the same subnet.
Reset to Defaults Resets the ICMP interface parameters to the default values.
Routing Table
DDoS Protector supports IP routing compliant with RFC1812 router requirements. Dynamic
addition and deletion of IP interfaces is supported. This ensures that extremely low latency is
maintained.
IP router supports RIP I, RIP II and OSPF routing protocols. OSPF is an intra-domain IP routing
protocol, intended to replace RIP in bigger or more complex networks. OSPF and its MIB are
supported as specified in RFC 1583 and RFC 1850, with some limitations.
To configure a route:
1. Select Router > Routing Table.
To add an entry, click Create.
To edit an entry, click the entry link in the table.
2. Configure the parameters, and click Set.
Parameter Description
Next Hop The address of the next system of this route, local to the interface.
Interface Index The IF Index of the local interface through which the next hop of this
route is reached.
Parameter Description
ARP Table
Use the ARP (Address Resolution Protocol) Table pane to update and create ARP addresses on the
local route.
IP Address
MAC Address
Type Values:
Other
Invalid
Dynamic - The entry is learned from the ARP protocol. If the entry is not
active for a predetermined time, the node is deleted from the table.
Static - The entry is configured by the network management station and
is permanent.
DDoS Protector
In This Section:
DoS Signatures .............................................................................................................74
Server Protection ..........................................................................................................94
Denial of Service .........................................................................................................110
Authentication Tables .................................................................................................170
Intrusion Protection and Anti-Scanning ....................................................................171
White List and Black List ............................................................................................175
Policies ........................................................................................................................184
Global - Suspend Table - Parameters .......................................................................191
Reporting.....................................................................................................................193
Attack Database ..........................................................................................................201
Activate Latest Changes .............................................................................................201
Packet Anomaly Attacks .............................................................................................201
Service Discovery ........................................................................................................206
Restore Default Configuration ...................................................................................208
DoS Signatures
Application Security Global Parameters
Application Security is a mechanism that delivers advanced attack detection and prevention
capabilities. This mechanism is used by several security modules to provide maximum protection
for network elements, hosts and applications.
MAX URI Length The maximum URI length permitted. If URI is longer than the
configured value, this URI is considered as illegitimate and is
dropped.
Default: 500
MIN fragmented URI packet Size The minimum permitted size, in bytes, of an incomplete URI in
an HTTP request. A shorter packet length is treated as URI
protocol anomaly and is dropped.
Default: 50
Parameter Description
Security Tracking Tables How often, in milliseconds, the appliance clears unnecessary
Free-Up Frequency [ms] entries from the table, and stores information about newly
detected security events.
Default: 1250
Unicode Encoding The language encoding (the language and character set) to
use for detecting security events.
Session-Drop Mechanism Status When enabled, terminates the whole session when a single
malicious packet is recognized.
Default: enable
Sampling Rate The rate at which packets are sampled and compared to the Dormant
Attacks. You can configure a number that specifies per how many
packets the sampling is performed.
Default: 100 that is, 1 out of 100 packets is checked.
Sampling Frequency How often, in seconds, DoS Shield compares the predefined thresholds
for each Dormant Attack to the current value of counters of packets
matching the attack. Default: 5
OMPC Offset The location in the packet from which the checking of data is
started in order to find specific bits in the IP/TCP header.
Values: 0 65535
Default: 0
Parameter Description
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative to.
Values:
None
IP Header
IP Data
L4 Data
Ethernet
L4 Header
IPV6 Header
Default: None
OMPC Pattern The fixed size pattern within the packet that OMPC rule attempts to
find.
Possible values: a combination of hexadecimal numbers (0 9,
a f). The value must be defined according to the OMPC Length
parameter.
The OMPC Pattern parameter definition must contain 8 symbols. If
the OMPC Length value is lower than fourBytes, you need
complete it with zeros.
For example, if OMPC Length is twoBytes, OMPC Pattern can
be:abcd0000.
Default: 00000000
OMPC Condition The OMPC condition can be either N/A, equal, notEqual,
greaterThan or lessThan.
Default: N/A
OMPC Length The length of the OMPC (Offset Mask Pattern Condition) data.
Values: None, oneByte, twoBytes, threeBytes, fourBytes
Default: None
Parameter Description
Content Offset The location in the packet from which the checking of content is
started.
Values: 0 1513
Default: 0
Distance A range that defines the allowed distance between two content
characters. If the distance is beyond the specified range, it is
recognized as an attack.
Content Type Enables you to search for a specific content type, which you select
from a long list.
For the list of valid values, see the Content Types table below.
Default: None The appliance does not filter the content based on
type.
Content Max Length The maximum length to be searched within the selected Content
Type.
Values: 0 65,535
Default: 0
The Content Max Length value must be equal to or greater than
the Offset value.
Parameter Description
Content Data Encoding The encoding of the content data. The value of this field applies to
the Content parameter. DDoS Protector can search for data in
languages other than English, for case-sensitive or
case-insensitive data, and hexadecimal strings.
Values:
Not Applicable
Case Insensitive
Case Sensitive
HEX
International
Default: None
Content Encoding The encoding of the content. The value of this field applies to the
Content Type parameter. DDoS Protector can search for content in
languages other than English, for case-sensitive or
case-insensitive text, and hexadecimal strings.
Values:
Not Applicable
Case Insensitive
Case Sensitive
Hex
International
Default: None
The value of this field corresponds to the Content Type parameter.
Content Regular Expression Specifies whether the Content field value is formatted as a regular
expression (and not as free text to search). You can set a regex
search for all content types.
Content Data Reg Specifies whether the Content Data value is formatted as a regular
Expression expression (and not as free text to search).
Parameter Description
Packet Size Type Specifies whether the length is measured for Layer 2, Layer 3,
Layer 4 or Layer 7 content.
Values:
L2 The complete packet length is measured, including Layer
2 headers.
L3 The Layer 2 data part of the packet is measured
(excluding the Layer 2 headers).
L4 The Layer 3 data part of the packet is measured
(excluding the Layer 2/Layer 3 headers).
L7 The L4 data part of the packet is measured (excluding the
Layer 2/Layer 3/Layer 4 headers).
None
Default: None
This table describes the Content types that you can configure the appliance to examine as part of
the attack signature.
Cookie The HTTP cookie field. The Content field includes the cookie name, and
the Content Data field includes the cookie value.
File Type The requested file type in the HTTP GET command (JPG, EXE, and so on).
FTP Command Parses FTP commands to commands and arguments, while normalizing
FTP packets and stripping Telnet opcodes.
FTP Content Scans data transmitted using FTP, normalizes FTP packets and strips
Telnet opcodes.
Header Field The HTTP Header field. The Content field includes the header field
name, and the Content Data field includes the field value.
HTTP Reply Data The data of the HTTP reply. This is available only on x412 appliances.
HTTP Reply Header The header of the HTTP reply. This is available only on x412 appliances.
MM7 File Attachment The file associated with the MM7 request.
Normalized URL To avoid evasion techniques when classifying HTTP requests, the URL
content is transformed into its canonical representation, interpreting the
URL the same way the server would.
The normalization procedure supports the following:
Directory referencing by reducing /./ into / or A/B/../ to A/.
Changing backslash (\) to slash (/).
Changing HEX encoding to ASCII characters. For example, the hex
value %20 is changed to a space.
Unicode support, UTF-8 and IIS encoding.
POP3 User The User field in the POP3 header.
The Attributes list presents all the attributes that participate in the defined profiles. You can use
the existing attributes, add new attributes or remove attributes from the list.
Use the Signature Protection Attribute Types pane to view the Signature Protection Attribute
Types.
Parameter Description
Services Defines which protocols are used in your environment, for example
FTP, HTTP, DNS, and so on. Only attack signatures that match
these protocols are selected for protection rules.
Platform The type of operating systems that exist in the segment, which you
want to protect. For example, Windows, Linux, Unix and so on. Only
attack signatures that match these operating systems are selected
for protection rules.
Applications The type of applications used in the segment that you are
protecting. For example, web servers, mail servers, browser, and
other servers.
Threat Type The threats against which you are protecting your segment, for
example, buffer overflows, worms and so on.
Risk The level of attack severity. For example, attacks that their impact
on the network is very severe are defined as high risk attacks.
Attribute Values
Use the Signature Protection Attribute Values pane to define an intrusion prevention profile based
on various parameters that defines the user environment, applications, threat level and risk
levels.
Attribute Type Define the Attribute type from the Signature Protection Attribute Types (on
page 82) list.
Attacks
Static Attacks
The Attacks Database contains attacks provided by Check Point. You can add user-defined attacks
to reflect specific needs of your network, or edit the existing attacks.
Use the Signature Protection Static Attack Configuration pane to edit existing attack parameters.
Attack Name (Read-only) The name for this attack. The Attack Name is used when
DoS Shield sends information about attack status changes.
Tracking Time The time, in milliseconds, in which the Threshold is measured. When a
number of packets that is greater than the threshold value passes
through the appliance, during this defined period, the appliance
recognizes it as an attack.
Value: 1000
Parameter Description
Tracking Type Specifies how the protection determines which traffic to block or drop
when under attack.
Values:
Drop All Select this option when each packet of the defined attack
is harmful, for example, Code Red and Nimda attacks.
Source Count Select this option when the defined attack is
source-based that is, the attack can be recognized by its source
address, for example, a Horizontal Port Scan, where the hacker
scans a certain application port (TCP or UDP) to detect which
servers are available in the network.
Target Count Select this option when the defined attack is
destination-based, meaning the hacker is attacking a specific
destination such as a Web server, for example, Ping Flood and DDoS
attacks.
Source and Destination Count Select this option when the attack
type is a source and destination-based attack that is, the
hacker is attacking from a specific source IP to a specific
destination IP address, for example, Port Scan attacks.
landattack
fragments
ncpsdcan
dhcp
ftpbounce
bobo2K
Sampling Select this option when the defined attack is based on
sampling, that is a DoS Shield attack.
Parameter Description
Action Mode The action that DDoS Protector takes when an attack is detected.
Values:
Drop DDoS Protector discards the packet is discarded.
Report Only DDoS Protector forwards the packet to the defined
destination.
Reset Source DDoS Protector sends a TCP-Reset packet to the
packet source IP address.
Reset Destination DDoS Protector sends a TCP-Reset packet to
the destination address.
Reset BiDirectional DDoS Protector sends a TCP-Reset packet to
both the packet source IP and the packet destination IP address.
MM7 If the packet contains a threat, the appliance drops the
message and sends an application-level error message to the
server to remove the message from the queue to prevent a
re-transmission. It contains Transaction ID, Content Length, and
Message ID.
Default: Drop
The following options are not relevant for DDoS Protector, and
selecting one may cause unexpected results:
HTTP 200 OK
HTTP 200 OK Reset Dest
HTTP 403 Forbidden
HTTP 403 Forbidden Reset Dest
State Enables or disables the Attack Status.
There are cases where you may need to temporarily disable an attack
from a static group. For example, if you suspect that a certain attack
introduces false positives, and you would like to disable that specific
attack only.
Setting the attack status to Disable, means that the attack is disabled
but not removed from the group.
Direction A certain protection policy may contain attacks that should be searched
only for traffic from client to server or only on traffic from server to
client.
To provide simple and efficient scanning configuration you can set per
attack the traffic direction for which it is relevant.
Values:
Inbound On traffic from policy Source to policy Destination
Outbound On traffic from policy Destination to policy Source
In-Out Bound On all traffic between policy Source to policy
Destination
DDoS Protector User Guide 6.14 | 86
DDoS Protector
Parameter Description
Suspend Action This functionality allows the user to define that for certain attacks, in
addition to the action defined in the attack, the appliance should also
suspend traffic from the IP address that was the source of the attack,
for a time.
Values:
None Suspend action is disabled for this attack.
SrcIP All traffic from the IP address identified as source of this
attack will be suspended.
SrcIP, DestIP Traffic from the IP address identified as source of
this attack to the destination IP under attack will be suspended.
SrcIP, DestPort Traffic from the IP address identified as source of
this attack to the application (destination port) under attack will be
suspended.
SrcIP, DestIP, DestPort Traffic from the IP address identified as
source of this attack to the destination IP and port under attack will
be suspended.
SrcIP, DestIP, SrcPort, DestPort Traffic from the IP address and
port identified as source of this attack to the destination IP and port
under attack will be suspended.
Active Threshold When this threshold is exceeded, the status of the attack is changed to
Currently Active. This is only relevant when the Attack Status was
configured as Dormant.
The maximum number of attack packets allowed in each Tracking Time
unit. Attack packets are recognized as legitimate traffic when they are
transmitted within the Tracking Time period.
When the value for Tracking Type is Drop All, the protection ignores
this parameter.
Exclude Src The source IP address or network whose packets the protection does
not inspect.
If you specify a value for Exclude Src, Exclude Dest cannot be None.
To exclude only by source IP address, for Exclude Src, type any.
Default: None
Drop Threshold After an attack has been detected, the appliance starts dropping
excessive traffic only when this threshold is reached. This parameter is
measured in PPS.
When the value for Tracking Type is Drop All, the protection ignores
this parameter.
Parameter Description
Exclude Dest The destination IP address or network whose packets the protection
does not inspect.
If you specify a value for Exclude Dest, Exclude Src cannot be None.
To exclude only by source IP address, for Exclude Dest, type any.
Default: None
Term Threshold When the attack PPS rate drops below this threshold, the protection
changes the attack from active mode to inactive mode.
When the value for Tracking Type is Drop All, the protection ignores
this parameter.
Packet Report Specifies whether the protection sends attack packets to the specified
physical port.
Packet Trace Specifies whether the protection sends attack packets to the specified
physical port.
Quarantine Specifies whether the appliance can quarantine all Web traffic from
internal hosts after matching this signature.
User Attacks
The Attacks Database contains attacks provided by Check Point. You can add user-defined attacks
to reflect specific needs of your network, or edit the existing attacks.
Use the Signature Protection User Attack Configuration pane to create attack parameters.
Attack Name The name for this attack. The Attack Name is used when DoS Shield sends
information about attack status changes.
Tracking Time The time, in milliseconds, in which the Threshold is measured. When a number
of packets that is greater than the threshold value passes through the
appliance, during this defined time period, the appliance recognizes it as an
attack.
Value: 1000
Parameter Description
Tracking Type Specifies how the protection determines which traffic to block or drop when
under attack.
Values:
Drop All Select this option when each packet of the defined attack is
harmful, for example, Code Red and Nimda attacks.
Source Count Select this option when the defined attack is
source-based that is, the attack can be recognized by its source address,
for example, a Horizontal Port Scan, where the hacker scans a certain
application port (TCP or UDP) to detect which servers are available in the
network.
Target Count Select this option when the defined attack is
destination-based, meaning the hacker is attacking a specific destination
such as a Web server, for example, Ping Flood and DDoS attacks.
Source and Destination Count Select this option when the attack type is a
source and destination-based attack that is, the hacker is attacking from
a specific source IP to a specific destination IP address, for example, Port
Scan attacks.
landattack
fragments
ncpsdcan
dhcp
ftpbounce
bobo2K
Sampling Select this option when the defined attack is based on
sampling, that is a DoS Shield attack.
Default: Sampling
Parameter Description
Action Mode The action that DDoS Protector takes when an attack is detected.
Values:
Drop DDoS Protector discards the packet is discarded.
Report Only DDoS Protector forwards the packet to the defined
destination.
Reset Source DDoS Protector sends a TCP-Reset packet to the packet
source IP address.
Reset Destination DDoS Protector sends a TCP-Reset packet to the
destination address.
Reset BiDirectional DDoS Protector sends a TCP-Reset packet to both the
packet source IP and the packet destination IP address.
MM7 If the packet contains a threat, the appliance drops the message and
sends an application-level error message to the server to remove the
message from the queue to prevent a re-transmission. It contains
Transaction ID, Content Length, and Message ID.
Default: Drop
The following options are not relevant for DDoS Protector, and selecting one
may cause unexpected results:
HTTP 200 OK
HTTP 200 OK Reset Dest
HTTP 403 Forbidden
HTTP 403 Forbidden Reset Dest
State Enables or disables the Attack Status.
There are cases where you may need to temporarily disable an attack from a
static group. For example, if you suspect that a certain attack introduces false
positives, and you would like to disable that specific attack only.
Setting the attack status to Disable, means that the attack is disabled but not
removed from the group.
Default: Enable
Direction A certain protection policy may contain attacks that should be searched only for
traffic from client to server or only on traffic from server to client.
To provide simple and efficient scanning configuration you can set per attack
the traffic direction for which it is relevant.
Values:
In Bound On traffic from policy Source to policy Destination
Out Bound On traffic from policy Destination to policy Source
In-Out Bound On all traffic between policy Source to policy Destination
Parameter Description
Suspend Action This functionality allows the user to define that for certain attacks, in addition
to the action defined in the attack, the appliance should also suspend traffic
from the IP address that was the source of the attack, for a time.
Values:
None Suspend action is disabled for this attack.
SrcIP All traffic from the IP address identified as the source of this attack
will be suspended.
SrcIP, DestIP Traffic from the IP address identified as source of this
attack to the destination IP under attack will be suspended.
SrcIP, DestPort Traffic from the IP address identified as source of this
attack to the application (destination port) under attack will be suspended.
SrcIP, DestIP, DestPort Traffic from the IP address identified as source of
this attack to the destination IP and port under attack will be suspended.
SrcIP, DestIP, SrcPort, DestPort Traffic from the IP address and port
identified as source of this attack to the destination IP and port under attack
will be suspended.
Default: None
Active The maximum number of attack packets allowed in each Tracking Time unit.
Threshold Attack packets are recognized as legitimate traffic when they are transmitted
within the Tracking Time period.
When this threshold is exceeded, the status of the attack is changed to
Currently Active. This is only relevant when the Attack Status was configured as
Dormant.
When the value for Tracking Type is Drop All, the protection ignores this
parameter.
Default: 50
Exclude Src The source IP address or network whose packets the protection does not
inspect.
If you specify a value for Exclude Src, Exclude Dest cannot be None.
To exclude only by source IP address, for Exclude Src, type any.
Default: None
Drop Threshold After an attack has been detected, DDoS Protector starts dropping excessive
traffic only when this threshold is reached. This parameter is measured in PPS.
When the value for Tracking Type is Drop All, the protection ignores this
parameter.
Default: 50
Parameter Description
Exclude Dest The destination IP address or network whose packets the protection does not
inspect.
If you specify a value for Exclude Src, Exclude Dest cannot be None.
To exclude only by source IP address, for Exclude Src, type any.
Default: None
Term Threshold When the attack PPS rate drops below this threshold, the protection changes
the attack from active mode to inactive mode.
When the value for Tracking Type is Drop All, the protection ignores this
parameter.
Default: 50
Packet Report You can view a capture of an individual attack packet using Packet Reporting.
Enable or disable packet reporting for the specific attack.
Default: disable
Packet Trace Specifies whether the protection sends attack packets to the specified physical
port.
Default: disable
Quarantine Specifies whether the appliance can quarantine all Web traffic from internal
hosts after matching this signature.
Default: disable
Profiles
A Signature Protection profile contains one or more rules for the network segment you want to
protect. Each rule defines a query on the Signatures database. DDoS Protector activates
protections from the signature database that matches the set of rules. The user-defined profile is
updated each time you download an updated Signatures database.
To configure Signature Protection profiles, IPS protection must be enabled and global DoS Shield
parameters must be configured.
You can configure up to 300 Signature Protection profiles on a DDoS Protector appliance.
Each rule in the profile can include one or more entries from the various attribute types.
Rules define a query on the Signatures database based on the following logic:
Values from the same type are combined with logical OR.
Values from different types are combined with logical AND.
The rules are combined in the profile with a logical OR.
The relationship inside a signature between all filters is a logical AND.
Rules in the profile are implicit. That is, when you define a value, all signatures that match a
specific selected attribute plus all the signatures that have no attribute of that type(prod00228571
DDoS Protector User Guide 6.14 | 92
DDoS Protector
20150621). This logic ensures that signatures that may be relevant to the protected network are
included even if they are not associated explicitly (by SOC) with the application in the network.
Static Profiles
The Static Profiles pane displays a list of the existing static profiles. You can view the filter groups
that make up a profile, and drill-down to see the filters in any one of the groups.
User Profiles
Security profiles aggregate attack groups and attacks. You can set one or more profiles for each
security module and then associate the protection profile with a policy.
Exclude Attacks
Use the Signature Protection Attacks Excluded Addresses Configuration pane to exclude
particular attacks from your network definitions.
Parameter Description
Server Protection
Cracking Protection
Server Cracking Protection provides application-level protection that monitors error responses
from various applications and blocks hacking attempts from suspicious sources while allowing
legitimate traffic to pass.
Each Server Protection policy can include one Server Cracking Protection profile. You can use
Server Cracking profiles for multiple Server Protection policies. A Server Cracking Protection
profile specifies the protections that DDoS Protector applies to protect application servers in your
network against cracking attempts and other vulnerability scans. You can get more information on
the default configuration of each protection ("Server Protection Attacks" on page 101).
Sensitivity Parameter
The Sensitivity parameter of each Server Cracking protection defines thresholds for the quantity
and frequency of server-side error messages. DDoS Protector tracks server-side error messages
to trigger attack detection. High sensitivity means that only a few cracking attempts trigger the
protection, while Minor means that a very high number of attempts trigger the protection. The
default is Medium.
During the Attack state, the attacker is added to the Suspend table, which is the list of blocked
sources. When the user is released from the Suspend table, the monitoring interval is set again.
Normal state 20 15 10 5
Suspect state 40 30 15 10
Attack state 60 45 20 15
There may be cases where you need to tune the value of the Sensitivity parameter. For example, if
you are protecting a Web server that is not maintained or not updated, it may generate HTTP-error
replies at an abnormal rate, which the appliance will falsely identify as an attack. In such a case,
set the sensitivity to Low.
Application-scanning and brute-force attempts are usually generated through multiple L4
connections. If the attack attempts are using the same L4 connection (that is, a TCP or UDP
connection), the detection sensitivity will be automatically set to a higher value than those that are
specified in the above table. Thus, the quantity and frequency of attempts needed to trigger the
protection action will be lower.
Medium 40 10
Low 60 15
Minor 80 20
Medium 10 2
Low 15 4
Minor 20 6
Medium 30 1
Low 25 3
Minor 45 30
401 Unauthorized
403 Forbidden
409 Conflict
410 Gone
417 Unknown
Resource-Priority
481 Call/Transaction
Does Not Exist
485 Ambiguous
Attack Name The user-defined name for this attack. The Attack Name is used when DoS
Shield sends information about attack status changes.
Action Mode The action that DDoS Protector takes when an attack is detected.
Values:
Drop DDoS Protector discards the packets.
Report DDoS Protector forwards the packets to the defined destination.
Risk The risk assigned to this attack for reporting purposes.
Values: Info, Low, Medium, High
Parameter Description
Direction The direction of the traffic to inspect. A protection may include attacks that
should be searched only for traffic from client to server or only on traffic from
server to client.
Values:
Inbound The protection inspects traffic from policy Source to policy
Destination.
Out Bound The protection inspects traffic from policy Destination to policy
Source
Inbound & Outbound The protection inspects all traffic between policy
Source to policy Destination
Suspend Action Specifies what traffic to suspend for a period of time.
Values:
None Suspend action is disabled for this attack.
SrcIP All traffic from the IP address identified as the source of the attack
is suspended.
SrcIP, DestIP Traffic from the IP address identified as the source of the
attack to the destination IP address under attack is suspended.
SrcIP, DestPort Traffic from the IP address identified as source of the
attack to the application (destination port) under attack is suspended.
SrcIP, DestIP, DestPort Traffic from the IP address identified as the
source of the attack to the destination IP address and port under attack is
suspended.
SrcIP, DestIP, SrcPort, DestPort Traffic from the IP address and port
identified as the source of the attack to the destination IP address and port
under attack is suspended.
Sensitivity The detection sensitivity of module. The sensitivity level defines thresholds for
the number and frequency of server-side error messages. These messages are
tracked for attack detection. High sensitivity specifies that the protection needs
few cracking attempts to trigger the protection. Minor sensitivity specifies that
the appliance needs a very high number of attempts.
Values: High, Medium, Low, Minor
Default: Medium
If you are protecting a Web server that is not maintained or not updated, it may
generate HTTP-error replies at an abnormal rate, which the appliance will
falsely identify as an attack. In such a case, set the sensitivity to Low.
Brute-force and dictionary attacks On registrar and proxies SIP servers.
SIP application scanning activities On SIP servers and SIP phones.
SIP DoS flood attacks On SIP servers and SIP phones. The types of attacks that are detected
through the SIP crack mechanism include those that use repeated spoofed register and invite
messages.
Pre-SPIT (Spam over IP Telephony) activities TO TAG Invite messages are used.
DDoS Protector detects attacks based on the frequency and quantity of SIP reply codes. DDoS
Protector performs analysis of authentication, call initiation, registration processes, and reply
codes per source IP address and the SIP URI (SIP FROM).
A SIP server can send replies and error responses to clients either on the same connection or
open a new connection for this purpose. This is also applicable for UDP, where either the same
flow or a new one is used. To support such environments, the SIP Server Cracking protection can
monitor all outgoing messages from the protected server to the SIP Application Port Group or
from the SIP Application Port Group.
When DDoS Protector detects an attack, it does the following:
Adds the source IP address of the attacker to the Suspend table. The suspend entry will have
both the SIP port and the server IP address.
Blocks all traffic from the attacker to the protected server and to the SIP Application Port
group. The appliance also drops existing sessions or flows from the attacker to the protected
server and to the Application Port Group.
Before you configure global SIP Cracking Protection, you must configure a profile that includes
SIP protection ("Server Protection Attacks" on page 101).
SIP-Crack Tracking type The data that the SIP Cracking feature monitors.
Values: sip-uri, source-ip, both
Parameter Description
SIP-Crack Application-reset The SIP error code that is sent back to the source IP address.
Values:
ambiguous Event number 485. Request-URI is
ambiguous/not assigned.
busy-everywhere Event number 600. All possible
destinations are busy.
busy-here Event number 486. User busy.
decline Event number 603. Call rejected.
forbidden Event number 403.
not-acceptable-error Event number 406. Client Failure
Response. The resource identified by the request is only
capable of generating response entities that have content
characteristics but not acceptable according to the Accept
header field sent in the request.
not-acceptable-fail Event number 606. Global Failure
Response. The user s agent was contacted successfully but
some aspects of the session description, such as the
requested media, bandwidth, or addressing style, were not
acceptable)
not-acceptable-here Event number 488. Some aspects of
the session description of the Request-URI is not acceptable.
not-found Event number 404. The user does not exist at the
specified domain.
request-terminated Event number 487. Request has
terminated by bye or cancel.
temporarily-unavailable Event number 480. The user is
currently unavailable.
Default: not-acceptable-error
Protected Servers
Server Protection policies protect servers against targeted attacks.
For each Server Protection policy, you can specify one HTTP Flood protection profile, one Server
Cracking profile, and one VLAN tag. If the Server Protection policy contains a Server Cracking
profile and no HTTP Flood Protection profile, you can configure the policy for ranges, networks, or
a discrete IP address. If the Server Protection policy includes an HTTP Flood Protection profile,
you can configure the policy only for a discrete IP address. These profiles are activated when
DDoS Protector identifies an attack on a protected server.
You can configure up to 20 different Server Cracking profiles on a DDoS Protector appliance. You
can use the same Server Cracking profile for multiple Server Protection policies.
You can configure up to 280 Server Protection policies that include an HTTP Flood protection
profile.
You can configure up to 350 Server Protection policies that do not include an HTTP Flood
protection profile.
By default, DDoS Protector can protect up to 350 servers (with discrete IP addresses) that are
protected with Server Cracking profiles, but you can tune a DDoS Protector appliance to support
up to 10,000 servers.
Before you configure Server Protection profiles for a Server Protection policy, ensure that you
have enabled all the required protections and configured the corresponding global protection
parameters.
Parameter Description
HTTP mitigator Profile The HTTP-flood-mitigator profile that the appliance activates
against an attack.
Server Cracking Protection The Server Cracking profile that the appliance activates against an
attack.
State Values:
active The server protection is active.
inactive The server protection is inactive, but DDoS Protector
maintains baselines and the configuration of the associated
HTTP profile.
Default: active
Packet Trace Specifies whether the policy sends attack packets to the specified
physical port.
Default: Disabled
Packet Trace configuration Specifies whether the configuration of the Packet Trace feature
on policy takes precedence here, on this policy, takes precedence over the configuration of the
Packet Trace feature in the associated profiles.
Policy Name The name of the Network Protection policy to which this Server
Protection policy belongs.
Packet Report Specifies whether the appliance sends sampled attack packets to
APSolute Vision for off-line analysis.
Default: Disabled
Packet Report configuration Specifies whether the configuration of the Packet Reporting
on policy takes precedence feature here, on this policy takes precedence over the
configuration of the Packet Reporting feature in the associated
profiles.
Parameter Description
Server Status The status of the server, especially in the context of the Service
Discovery mechanism.
Values:
static The server is a static member of the Server Protection
table, and it is protected if the State is active. If the server is a
discovered server, the Service Discovery mechanism does not
revalidate the server.
ignored The server is ignored, with no protection from the
appliance. The DDoS Protector appliance maintains no
baselines or associated HTTP profile configuration for the
server.
discovered The Service Discovery mechanism discovered the
server, and it is protected if the State is active. The Service
Discovery mechanism revalidates the server according to the
specified Revalidation Time.
revalidating For internal use only. The Service Discovery
mechanism is currently checking again whether the server
meets the Tracking-Time-Responses-per-Minute criteria.
in evaluation For internal use only. The Service Discovery
mechanism is currently checking whether the server meets the
Tracking-Time-Responses-per-Minute criteria.
For server entries that you create, you can only specify the Server
Status static or ignored.
You can change the Server Status from discovered only to static or
ignored.
You cannot change the Server Status once you specify ignored. You
can delete the server entry if required.
Discoverer Policy Specifies the Network Protection policy with a Service Discovery
profile that added the server to the Server Protection table.
You can modify a Discoverer Policy only for a server whose Server
Status is discovered.
Next Re-evaluation (Read-only) The time remaining, in dd:hh:mm format, before DDoS
Protector revalidates the profile.
Parameter Description
Configuration Specifies whether DDoS Protector exports the template with the
configuration of the policy.
Default: Enabled
DDoS Protector User Guide 6.14 | 109
DDoS Protector
Parameter Description
HTTP Flood Baseline Specifies whether DDoS Protector exports the template with the
current HTTP normal-traffic baseline of the policy.
Default: Enabled
Denial of Service
Behavioral DoS
Behavioral DoS Global Parameters
Behavioral DoS (Behavioral Denial of Service) Protection, which you can use in your
network-protection policy, defends your network from zero-day network-flood attacks. These
attacks fill available network bandwidth with irrelevant traffic, denying use of network resources
to legitimate users. The attacks originate in the public network and threaten Internet-connected
organizations.
The Behavioral DoS profiles detect traffic anomalies and prevent zero-day, unknown, flood attacks
by identifying the footprint of the anomalous traffic.
Network-flood protection types include:
TCP floods which include TCP Fin + ACK Flood, TCP Reset Flood, TCP SYN + ACK Flood, and
TCP Fragmentation Flood
ICMP flood
DDoS Protector User Guide 6.14 | 110
DDoS Protector
IGMP flood
Before you configure BDoS Protection profiles, enable BDoS Protection.
Changing the setting of this parameter requires a reboot to take effect.
Advanced BDoS
Behavioral DoS Profiles Advanced
A Behavioral DoS profile defines the set of protocols for protection, which can then be assigned to
the Behavioral DoS policy.
Use the Behavioral DoS Profiles Advanced Configuration pane to configure Behavioral DoS
profiles with advanced parameters, which include manual quota settings.
The recommended settings for policies that include Behavioral DoS profiles are as follows:
Configure policies containing Behavioral DoS profiles using Networks with source = Any, the
public network, and destination = Protected Network. It is recommended to create multiple
Behavioral DoS rules, each one protecting a specific servers segment (for example, DNS
servers segment, Web server segments, Mail servers segments, and so on). This assures
optimized learning of normal traffic baselines.
It is not recommended to define a network with the Source and Destination set to Any, because
the appliance collects statistics globally with no respect to inbound and outbound directions.
This may result in lowered sensitivity to detecting attacks.
When the Direction of a policy is set to One Way, the rule prevents incoming attacks only.
ction is set to Two Way, the rule prevents both incoming and outgoing
attacks. In both cases, the traffic statistics are collected for incoming and outgoing patterns to
achieve optimal detection.
Check Point recommends that you initially leave the quota fields (for example, TCP In quota)
empty so that the default values will automatically be used. To view default values after creating
the profile, click the entry in the table. You can then adjust quota values based on your network
performance.
The total quota values may exceed 100%, because each value represents the maximum volume
per protocol.
Parameter Description
SYN Flood status Specifies whether the profile protects against SYN Flood
attacks.
Default: inactive
TCP Reset Flood status Specifies whether the profile protects against TCP Reset Flood
attacks.
Default: inactive
TCP FIN+ACK Flood status Specifies whether the profile protects against TCP FIN+ACK
Flood attacks.
Default: inactive
TCP SYN+ACK Flood status Specifies whether the profile protects against TCP SYN+ACK
Flood attacks.
Default: inactive
TCP Fragmented Flood status Specifies whether the profile protects against TCP Fragmented
Flood attacks.
Default: inactive
UDP Flood status Specifies whether the profile protects against UDP Flood
attacks.
Default: inactive
UDP Fragmented Flood status Specifies whether the profile protects against UDP
Fragmented Flood attacks.
Default: inactive
IGMP Flood status Specifies whether the profile protects against IGMP Flood
attacks.
Default: inactive
ICMP Flood status Specifies whether the profile protects against ICMP Flood
attacks.
Default: inactive
Configuration of the inbound The highest expected volume of inbound traffic, expressed in
traffic in [Kbit/Sec] Kbit/s, on the relevant network segment. DDoS Protector
derives the initial baselines from the bandwidth and quota
settings.
Values: 0 2,147,483,647
You must configure this setting to start Behavioral DoS
protection.
Parameter Description
Configuration of the outbound The highest expected volume of outbound traffic, expressed in
traffic in [Kbit/Sec] Kbit/s, on the relevant network segment. DDoS Protector
derives the initial baselines from the bandwidth and quota
settings.
Values: 0 2,147,483,647
You must configure this setting to start Behavioral DoS
protection.
TCP In quota The maximum expected percentage of inbound TCP traffic out
of the total traffic.
UDP In quota The maximum expected percentage of inbound UDP traffic out
of the total traffic.
ICMP In quota The maximum expected percentage of inbound ICMP traffic out
of the total traffic.
IGMP In quota The maximum expected percentage of inbound IGMP traffic out
of the total traffic.
TCP Out quota The maximum expected percentage of outbound TCP traffic out
of the total traffic.
UDP Out quota The maximum expected percentage of outbound UDP traffic
out of the total traffic.
ICMP Out quota The maximum expected percentage of outbound ICMP traffic
out of the total traffic.
IGMP Out quota The maximum expected percentage of outbound IGMP traffic
out of the total traffic.
Parameter Description
UDP packet rate detection Species to what extent the BDoS engine considers the UDP
sensitivity PPS-rate values (baseline and current).
This parameter is relevant only for only for BDoS UDP
protection.
Values:
Disable
Low
Medium
High
Default: Low
Packet Report Status Specifies whether the profile sends sampled attack packets to
APSolute Vision for off-line analysis.
Values: enable, disable
Default: enable
Packet Trace Status Specifies whether the profile sends attack packets to the
specified physical port.
Values: enable, disable
Default: disable
Learning response period The initial period from which baselines are primarily weighted.
The default and recommended learning response period is one week.
If traffic rates legitimately fluctuate (for example, TCP or UDP traffic
baselines change more than 50% daily), set the learning response to
one month. Use a one day period for testing purposes only.
Values: day, week, month
Default: Week
Parameter Description
Sampling Status Specifies whether the BDoS module uses traffic-statistics sampling
during the creation phase of the BDoS footprint. When the BDoS
module is trying to generate a real-time signature and there is a high
rate of traffic, the appliance evaluates only a portion of the traffic. The
BDoS module tunes the sampling factor automatically, according to
the traffic rate. The BDoS module screens all traffic at low traffic
rates (below 100K PPS) and only a portion of the traffic at higher
rates (above 100K PPS).
Default: enable
For best performance, Check Point recommends that the parameter
be enabled.
Parameter Description
Footprint Strictness When Behavioral DoS module detects a new attack, the module
generates an attack footprint to block the attack traffic. If the
Behavioral DoS module is unable to generate a footprint that meets
the footprint-strictness condition, the module issues a notification for
the attack but does not block it. The higher the strictness, the more
accurate the footprint. However, higher strictness increases the
probability that the appliance cannot generate a footprint.
Values:
High Requires at least two Boolean AND operators and no other
Boolean OR value in the footprint. This level lowers the probability
for false positives but increases the probability for false negatives.
Medium Requires at least one Boolean AND operator and no
more than two additional Boolean OR values in the footprint.
Low Allows any footprint suggested by the Behavioral DoS
module. This level achieves the best attack blocking, but
increases the probability of false positives.
Default: Low
DDoS Protector always considers the checksum field and the
sequence number fields as High Footprint Strictness fields.
Therefore, a footprint with only a checksum or sequence number is
always considered as High Footprint Strictness.
See the table below for examples of footprint strictness
requirements.
Parameter Description
Suppression Threshold The percentage of the specified bandwidth, below which, DDoS
Protector suppresses BDoS-baseline learning.
The Suppression Threshold feature helps preserve a good
BDoS-baseline value in scenarios where, at times, DDoS Protector
handles very little traffic.
There are two typical scenarios where, at times, DDoS Protector
handles very little traffic:
Out-of-path deployments In an out-of-path deployment, DDoS
Protector is triggered upon attack detection when traffic is
diverted through DDoS Protector for mitigation. During an attack,
the traffic is diverted and routed through DDoS Protector. During
peacetime, no traffic passes through DDoS Protector (except for
maintenance messages). When no traffic is diverted to DDoS
Protector, the BDoS learning must be suppressed to prevent
extremely low values affecting the baseline and ultimately
increasing the susceptibility to false positives.
Environments where traffic rates change dramatically throughout
the day.
The specified bandwidth refers to the Configuration of the outbound
traffic in [Kbit/Sec] and Configuration of the inbound traffic in
[Kbit/Sec] parameters under DDoS Protector > Denial of Service >
Behavioral DoS > Behavioral DoS Profiles.
The Suppression Threshold applies to all BDoS profiles and
controllers, but DDoS Protector calculates the threshold per Network
Protection policy and specified Direction (DDoS Protector > Policies >
Table). For oneway policies, the Suppression Threshold considers the
inbound bandwidth. DDoS Protector treats twoway policies as two
policies, so the Suppression Threshold calculates the bandwidth for
each policy (inbound/outbound).
Values:
0 Specifies that BDoS profiles use no Suppression Threshold.
1 50
Default: 0
TTL Yes No No
Mitigation Configuration
Attack Termination Configuration for Behavioral DoS Protection
The DDoS Protector BDoS mechanism assigns various internally defined states for each
protection (belonging to the BDoS policy and Protection Type).
The internally defined states for protections include the following:
Normal state
Analysis state
state 2
Blocking state
state 6
Anomaly state
state 3
Non-strictness state
state 7
DDoS Protector assigns the Non-strictness state when it was not able to generate a DoS-attack
footprint that meets the specified Footprint Strictness ("Behavioral DoS Advanced Global
Parameters" on page 114).
As soon as DDoS Protector detects anomalous traffic, the protection changes state, from Normal
to Analysis. By default, if DDoS Protector detects anomalous traffic for less than a specified
threshold, the protection changes state back to Normal.
In a laboratory environment, it is possible to generate traffic that exhibits periodic behavior in
terms of traffic volume. Such traffic in a test attack typically looks like a square-wave function.
When such test attacks exhibit peaks and troughs of certain durations, DDoS Protector will
consider the attack to have ended (terminated) switching back to the Normal state, never
blocking the attack. The advanced mitigation interface for BDoS to extend pre-termination
durations so that such traffic is blocked.
In a production environment, highly orchestrated and synchronized attacks are unlikely; and the
default values in a DDoS Protector appliance configuration are adequate.
Stability Counter State 2 The time, in seconds, at which the degree of attack falls below
and stays below the hard-coded threshold in the Analysis
state. DDoS Protector declares the attack to be terminated
immediately when this value is 0.
Values: 0 30
Default: 0
Stability Counter State 6 The time, in seconds, at which the degree of attack falls below
and stays below the hard-coded threshold in the Blocking
state. DDoS Protector declares the attack to be terminated
immediately when this value is 0. There is no typical use case
for reducing the value from the default.
Values: 0 300
Default: 10
Stability Counter State 3 and 7 The time, in seconds, at which the degree of attack falls below
and stays below the hard-coded threshold in the in Anomaly
state or the Non-strictness state. DDoS Protector declares
the attack to be terminated immediately when this value is 0.
Values: 0 300
3. From the Early Detection Condition drop-down list, select one of these options:
yes DDoS Protector must detect this field to generate a footprint in less than 10 seconds.
no DDoS Protector can use this field in the footprint, but it is not enough for early
blocking.
4. Click Set.
Early Blocking Configuration for Behavioral DoS Protection
In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to
start blocking as soon as possible even if accuracy is compromised. Using Early Blocking of DoS
Traffic configuring thresholds for generating DoS-attack footprints you can shorten the
Analysis state and start blocking the relevant traffic.
For more information on this feature, refer to the DDoS Protector User Guide.
Note: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the
accuracy of the DoS-attack footprint that DDoS Protector generates.
Any Packet Header Field Specifies the parameters according to which the appliance
blocks DoS traffic early.
Values:
true The appliance blocks DoS traffic early based on the
specified number of packet-header fields and number of
packet-header-field values thresholds.
false The appliance blocks DoS traffic early based on the
fields as displayed in the Packet Header Field Selection for
Behavioral DoS Protection (on page 119) pane.
Parameter Description
Any Packet Header Field The number anomalous packet-header fields that the appliance
threshold must detect to generate a footprint and change to the Blocking
state prior to the default 10 seconds. (The transition after 10
seconds occurs even if the condition is not met.)
Values: 1 20
Default (per protection):
ICMP 17
IGMP 16
TCP-ACK-FIN 17
TCP-FRAG 17
TCP-RST 17
TCP-SYN 17
TCP-SYN-ACK 17
UDP 20
Packet Header Field Values The number of anomalous packet-header-field values that the
appliance must detect to generate a footprint and change to the
Blocking state.
Values: 1 500
Default: 500
Controller (Read-only) The attack protection for which you are configuring footprint
bypass.
Parameter Description
Parameter Description
SYN Flood status Specifies whether the profile protects against SYN Flood attacks.
Default: inactive
TCP Reset Flood status Specifies whether the profile protects against TCP Reset Flood
attacks.
Default: inactive
TCP FIN+ACK Flood status Specifies whether the profile protects against TCP FIN+ACK Flood
attacks.
Default: inactive
TCP SYN+ACK Flood status Specifies whether the profile protects against TCP SYN+ACK Flood
attacks.
Default: inactive
TCP Fragmented Flood Specifies whether the profile protects against TCP Fragmented
status Flood attacks.
Default: inactive
UDP Flood status Specifies whether the profile protects against UDP Flood attacks.
Default: inactive
UDP Fragmented Flood Specifies whether the profile protects against UDP Fragmented
status Flood attacks.
Default: inactive
IGMP Flood status Specifies whether the profile protects against IGMP Flood attacks.
Default: inactive
ICMP Flood status Specifies whether the profile protects against ICMP Flood attacks.
Default: inactive
Configuration of the inbound The highest expected volume of inbound traffic, expressed in
traffic in [Kbit/Sec] Kbit/s, on the relevant network segment. DDoS Protector derives
the initial baselines from the bandwidth and quota settings.
Values: 0 2,147,483,647
Note: You must configure this setting to start Behavioral DoS
protection.
Parameter Description
Packet Report Status Specifies whether the profile sends sampled attack packets to
APSolute Vision for off-line analysis.
Values: enable, disable
Default: enable
Packet Trace Status Specifies whether the profile sends attack packets to the specified
physical port.
Values: enable, disable
Default: disable
DNS Protection
DNS Protection Global Parameters
DNS Flood Protection, which you can use in your network-protection policy, defends your network
from zero-day DNS-flood attacks. These attacks fill available DNS bandwidth with irrelevant
traffic, denying legitimate users DNS lookups. The attacks originate in the public network and
threaten Internet-connected organizations.
The DNS Flood profiles detect traffic anomalies and prevent zero-day, unknown, DNS flood
attacks by identifying the footprint of the anomalous traffic.
DNS Flood Protection types can include the following DNS query types:
A
MX
PTR
AAAA
Text
SOA
NAPTR
SRV
Other
DNS Flood Protection can detect statistical anomalies in DNS traffic and generate an accurate
attack footprint based on a heuristic protocol information analysis. This ensures accurate attack
filtering with minimal risk of false positives. The default average time for a new signature creation
is between 10 and 18 seconds. This is a relatively short time, because flood attacks can last for
minutes and sometimes hours.
Before you configure DNS Flood Protection profiles, ensure that DNS Flood Protection is enabled.
You can also change the default global appliance settings for DNS Flood Protection. The DNS
Flood Protection global settings apply to all the network protection policies rules with DNS Flood
profiles on the appliance.
Changing the setting of this parameter requires a reboot to take effect.
Expected QPS The expected rate, in queries per second, of DNS queries.
DNS A Flood status Specifies whether this profile protects against DNS A Flood
attacks.
Values: inactive, active
Default: inactive
Parameter Description
DNS A quota The maximum expected percentage of DNS A traffic out of the
total DNS traffic.
DNS MX Flood status Specifies whether this profile protects against DNS MX Flood
attacks.
Values: inactive, active
Default: inactive
DNS MX quota The maximum expected percentage of DNS MX traffic out of the
total DNS traffic.
DNS PTR Flood status Specifies whether this profile protects against DNS PTR Flood
attacks.
Values: inactive, active
Default: inactive
DNS PTR quota The maximum expected percentage of DNS PTR traffic out of the
total DNS traffic.
DNS AAAA Flood status Specifies whether this profile protects against DNS AAAA Flood
attacks.
Values: inactive, active
Default: inactive
DNS AAAA quota The maximum expected percentage of DNS AAAA traffic out of the
total DNS traffic.
DNS TEXT Flood status Specifies whether this profile protects against DNS TEXT Flood
attacks.
Values: inactive, active
Default: inactive
DNS TEXT quota The maximum expected percentage of DNS TEXT traffic out of the
total DNS traffic.
DNS SOA Flood status Specifies whether this profile protects against DNS SQA Flood
attacks.
Values: inactive, active
Default: inactive
DNS SOA quota The maximum expected percentage of DNS SQA traffic out of the
total DNS traffic.
Parameter Description
DNS NAPTR Flood status Specifies whether this profile protects against DNS NAPTER Flood
attacks.
Values: inactive, active
Default: inactive
DNS NAPTR quota The maximum expected percentage of DNS NAPTER traffic out of
the total DNS traffic.
DNS SRV Flood status Specifies whether this profile protects against DNS SRV Flood
attacks.
Values: inactive, active
Default: inactive
DNS SRV quota The maximum expected percentage of DNS SRV traffic out of the
total DNS traffic.
DNS OTHER Flood status Specifies whether this profile protects against DNS OTHER Flood
attacks.
Values: inactive, active
Default: inactive
DNS OTHER quota The maximum expected percentage of other DNS traffic (that is,
not A, MX, AAAA, TEXT, SOA, NAPTR, or SRV) out of the total DNS
traffic.
Max Allowed QPS The maximum allowed rate of DNS queries per second, when the
Manual Triggers option is not enabled.
Values: 0 4,000,000
Default: 0
Note: When the Manual Triggers option is enabled, the Manual
Triggers Max QPS Target value overrides this value ("DNS
Protection Advanced Profiles" on page 128).
Signature Rate limit Target The percentage of the DNS traffic that matches the real-time
signature that the profile will not mitigate above the baseline.
Values: 0 100
Default: 0
Packet Report Status Specifies whether the appliance sends sampled attack packets to
APSolute Vision for off-line analysis.
Values: enable, disable
Default: disable
Parameter Description
Packet Trace Status Specifies whether the DDoS Protector appliance sends attack
packets to the specified physical port.
Values: enable, disable
Default: disable
Action The action that the profile takes on DNS traffic during an attack.
Values: Block and Report, Report Only
Default: Block and Report
Expected QPS The expected rate, in queries per second, of DNS queries.
Parameter Description
DNS A Flood status Specifies whether this profile protects against DNS A
Flood attacks.
Values: inactive, active
Default: inactive
DNS MX Flood status Specifies whether this profile protects against DNS MX
Flood attacks.
Values: inactive, active
Default: inactive
DNS PTR Flood status Specifies whether this profile protects against DNS PTR
Flood attacks.
Values: inactive, active
Default: inactive
DNS PTR quota The maximum expected percentage of DNS PTR traffic
out of the total DNS traffic.
DNS AAAA Flood status Specifies whether this profile protects against DNS AAAA
Flood attacks.
Values: inactive, active
Default: inactive
DNS AAAA quota The maximum expected percentage of DNS AAAA traffic
out of the total DNS traffic.
DNS TEXT Flood status Specifies whether this profile protects against DNS TEXT
Flood attacks.
Values: inactive, active
Default: inactive
DNS TEXT quota The maximum expected percentage of DNS TEXT traffic
out of the total DNS traffic.
DNS SOA Flood status Specifies whether this profile protects against DNS SQA
Flood attacks.
Values: inactive, active
Default: inactive
Parameter Description
DNS SOA quota The maximum expected percentage of DNS SQA traffic
out of the total DNS traffic.
DNS NAPTR Flood status Specifies whether this profile protects against DNS
NAPTER Flood attacks.
Values: inactive, active
Default: inactive
DNS SRV Flood status Specifies whether this profile protects against DNS SRV
Flood attacks.
Values: inactive, active
Default: inactive
DNS SRV quota The maximum expected percentage of DNS SRV traffic
out of the total DNS traffic.
DNS OTHER Flood status Specifies whether this profile protects against DNS
OTHER Flood attacks.
Values: inactive, active
Default: inactive
DNS OTHER quota The maximum expected percentage of other DNS traffic
(that is, not A, MX, AAAA, TEXT, SOA, NAPTR, or SRV) out
of the total DNS traffic.
Max Allowed QPS The maximum allowed rate of DNS queries per second.
Values: 0dialog box4,000,000
Default: 0
When Manual Triggers Status is enable, the Manual
Triggers Max QPS Target value overrides this value.
Signature Rate limit Target The percentage of the DNS traffic that matches the
real-time signature that the profile will not mitigate
above the baseline.
Values: 0dialog box100
Default: 0
Packet Report Status Specifies whether the appliance sends sampled attack
packets to APSolute Vision for off-line analysis.
Values: enable, disable
Default: disable
Parameter Description
Packet Trace Status Specifies whether the DDoS Protector appliance sends
attack packets to the specified physical port.
Values: enable, disable
Default: disable
Action The action that the profile takes on DNS traffic during an
attack.
Values: Block and Report, Report Only
Default: Block and Report
Manual Triggers Status Specifies whether the profile uses user-defined DNS QPS
thresholds instead of the learned baselines.
Default: disable
Manual Triggers Activation Threshold The minimum number of queries per second after the
specified Activation Period on a single connection that
causes the appliance to consider there to be an attack.
When the appliance detects an attack, it issues an
appropriate alert and drops the DNS packets that exceed
the threshold. Packets that do not exceed the threshold
bypass the DDoS Protector appliance.
Values: 0 4,000,000
Default: 0
Manual Triggers Termination The maximum number of queries per second after the
Threshold specified Termination Period on a single connection
that cause the appliance to consider the attack to have
ended.
Values: 0 4,000,000
Default: 0
The Termination Threshold must be less than or equal to
the Activation Threshold.
Manual Triggers Max QPS Target The maximum allowed rate of DNS queries per second.
Values: 0 4,000,000
Default: 0
Manual Triggers Activation Period The number of consecutive seconds that the DNS traffic
on a single connection exceeds the Activation Threshold
that causes the appliance to consider there to be an
attack.
Values: 0 30
Default: 3
Parameter Description
Manual Triggers Termination Period The time, in seconds, that the DNS traffic on a single
connection is continuously below the Termination
Threshold, which causes the appliance to consider the
attack to have ended.
Values: 0 30
Default: 3
Manual Triggers Escalation Period The time, in seconds, that the appliance waits before
escalating to the next specified Mitigation Action.
Values: 0 30
Default: 3
Challenge Method The method that the profile uses to authenticate DNS
traffic.
Values:
Passive DDoS Protector authenticates DNS traffic
based on discard of A and AAAA queries.
Active DDoS Protector authenticates DNS traffic by
challenging all DNS query types and shifting UDP
traffic to TCP (with a TC flag).
Default: Passive
Note: Using the Active option requires that the entire
connection path to, and including, the DNS server(s) that
the profile protects must support TCP.
This parameter is effective only when Signature
challenge mitigation status and/or Collective
challenge mitigation status are enabled globally
(DDoS Protector > Denial of Service > DNS Protection
> Advanced > Mitigation Configuration > Methods).
DDoS Protector stores sources from the both method in
the SDM table.
The Active challenge method utilizes the DNS TC bit. The TC (truncated) bit is typically used by the
DNS server to indicate to the client that the response is too large for UDP, and it is required to use
TCP. When a DNS Flood Protection profile uses the Active challenge method, DDoS Protector
considers a client to be legitimate if the client opens a TCP connection to the server.
The Active challenge method works as follows:
1. DDoS Protector sends a DNS reply to the client with the TC bit set.
2. One of the following:
The DNS client opens a TCP connection to port 53 with the same query that was sent over
UDP.
a) DDoS Protector validates the query name and adds the source to the authentication table
for future queries.
b) DDoS Protector passes the query to the DNS server.
c) DDoS Protector authenticates the source in the SYN Protection module (optional) After
the TCP connection is created, using the SYN Protection module, DDoS Protector can
implement a Transparent Proxy Authentication Method phase for TCP authentication of
the client. This phase enhances the authentication but introduces an additional, yet
tolerable, delay especially, in the context of attack conditions. Check Point recommends
using the out-of-the-box SYN protection: DNS (ID: 200009).
The DNS client does not reply with a TCP connection.
a. DDoS Protector blocks the client from communicating with the protected DNS server.
b. DDoS Protector continues challenging new queries from the client.
The main advantages of the Active challenge method are as follows:
The Active challenge method is compatible with all DNS query types.
With the Active challenge method, a response from the client is forced according to the DNS
standard (RFC 1034 and RFC 1035).
Active authentication over TCP helps verify that the client has a complete legitimate DNS stack
with both UDP and TCP support.
The Active challenge method can potentially increase the load on the protected DNS servers. The
challenge is only applied in the mitigation phase, during a DNS attack. In addition, DDoS
s action escalation mechanism first applies the challenge on the attack footprint, and
only later on all the queries (of a certain query type). All in all, the impact of the resulting load is
expected to be lower than the attack itself.
In terms of latency and user experience, legitimate DNS clients are authenticated based on their
initial query, and all subsequent queries from the same source, over UDP, pass directly to the
server unchallenged.
The Active challenge method, similar to all other DDoS Protector challenges, is based on the
address.
There are some public DNS resolvers that change the source IP address with every new
query as recommended in RFC 5452. Since these public DNS resolvers are legitimate, they are
expected to reply successfully to every challenge that is, send the query over TCP. A query over
TCP, with a new IP address, is passed to the target DNS server, but the new source IP address is
not authenticated for subsequent queries.
In such scenarios, the TCP traffic load on the protected DNS servers increases. Check Point
recommends using the out-of-the-box SYN protection: DNS (ID: 200009) and Connection Limit
Protection.
Learning Response Period The initial period from which baselines are primarily weighted.
The default and recommended learning response period is one
week.
If traffic rates legitimately fluctuate (for example, TCP or UDP traffic
baselines change more than 50% daily), set the learning response to
one month. Use a one day period for testing purposes only.
Values: day, week, month
Default: week
Sampling Status Specifies whether the DNS Flood Protection module uses
traffic-statistics sampling during the creation phase of the footprint.
Values:
enable Traffic statistics are aggregated through sampling
algorithm which improves overall performance of the DNS Flood
Protection module. Although the decision engine is tuned
according to the sampling error, the chances for false positive
decisions are increased.
disable Traffic statistic are aggregated without sampling.
Default: enable
Parameter Description
Footprint Strictness When the DNS Flood Protection module detects a new attack, the
module generates an attack footprint to block the attack traffic. If
the module is unable to generate a footprint that meets the
footprint-strictness condition, the module issues a notification for
the attack but does not block it. The higher the strictness, the more
accurate the footprint. However, higher strictness increases the
probability that the module cannot generate a footprint.
Values:
high Requires at least two Boolean AND operators and no
other Boolean OR value in the footprint. This level lowers the
probability for false positives but increases the probability for
false negatives.
medium Requires at least one Boolean AND operator and no
more than two additional Boolean OR values in the footprint.
low Allows any footprint suggested by the DNS Flood
Protection module. This level achieves the best attack blocking,
but increases the probability of false positives.
Default: low
The DNS Flood Protection module always considers the checksum
field and the sequence number fields as High Footprint Strictness
fields. Therefore, a footprint with only a checksum or sequence
number is always considered as High Footprint Strictness.
See the table below for examples of footprint strictness
requirements.
DNS Query AND DNS ID AND Packet Size Yes Yes Yes
When the baseline for the policy is reset, the baseline traffic statistics are cleared, and then DDoS
Protector immediately initiates a new learning period. Generally, this is done when the
characteristics of the protected network have changed entirely and bandwidth quotas need to be
changed to accommodate the network changes.
Parameter Description
Stability Counter State 2 The time, in seconds, at which the degree of attack falls below and
stays below the hard-coded threshold in the Analysis state. DDoS
Protector declares the attack to be terminated immediately when
this value is 0.
Values: 0 30
Default: 0
Stability Counter State 6 The time, in seconds, at which the degree of attack falls below and
stays below the hard-coded threshold in the Blocking state. DDoS
Protector declares the attack to be terminated immediately when
this value is 0. There is no typical use case for reducing the value
from the default.
Values: 0 300
Default: 10
Stability Counter State 3 The time, in seconds, at which the degree of attack falls below and
stays below the hard-coded threshold in the in Anomaly state. DDoS
Protector declares the attack to be terminated immediately when
this value is 0.
Values: 0 300
Default: 10
Signature challenge Specifies whether the appliance challenges suspect DNS queries
mitigation status that match the real-time signature.
Default: enable
Signature rate-limit Specifies whether the appliance limits the rate of DNS queries that
mitigation status match the real-time signature.
Default: enable
Parameters Description
Collective rate-limit (Read-only) The appliance limits the rate of all DNS queries to the
mitigation status protected server.
Value: enable
Parameter Description
Any Packet Header Field Specifies the parameters according to which the appliance blocks
DoS traffic early.
Values:
true The appliance blocks DoS traffic early based on the
specified number of packet-header fields and number of
packet-header-field values thresholds.
false The appliance blocks DoS traffic early based on the fields
as displayed in the Packet Header Field Selection for Behavioral
DoS Protection ("Packet Header Field Selection for DNS
Protection" on page 138) pane.
Any Packet Header Field The number anomalous packet-header fields that the appliance
threshold must detect to generate a footprint and change to the Blocking state
prior to the default 10 seconds. (The transition after 10 seconds
occurs even if the condition is not met.)
Values: 1 20
Default (per protection):
ICMP 17
IGMP 16
TCP-ACK-FIN 17
TCP-FRAG 17
TCP-RST 17
TCP-SYN 17
TCP-SYN-ACK 17
UDP 20
Packet Header Field The number of anomalous packet-header-field values that the
Values appliance must detect to generate a footprint and change to the
Blocking state.
Values: 1 500
Default: 500
Parameter Description
SDM Protocol Compliance Specifies whether the appliance checks each DNS query for DNS
Checks Status protocol compliance and drops the non-compliant queries.
Default: disable
Controller (Read-only) The selected DNS query type for which you are configuring
footprint bypass.
SYN Protection
SYN Protection Global Parameters
A SYN flood attack is usually aimed at specific servers with the intention of consuming the
configure SYN Protection as a Network Protection to allow
easier protection of multiple network elements.
Before you configure SYN profiles for the network-protection policy, ensure the following:
SYN Protection is enabled the SYN Flood Protection global parameters are configured.
The Session table Lookup Mode is Full Layer 4.
SSL Mitigation
SSL Policies
DDoS Protector can mitigate SSL-flood attacks with SSL Mitigation policies. When SYN Protection
is triggered for TCP port 443 protection and the SYN Protection profile is configured with the Use
HTTP Authentication checkbox selected, an active SSL Mitigation policy challenges new SSL
connections using a Safe-Reset method. To decrypt and re-encrypt the SSL packets during the
challenge process, DDoS Protector uses the SSL engine of a specified Alteon platform. DDoS
Protector allows traffic from validated clients to pass through the DDoS Protector appliance to the
protected server.
The DDoS Protector SSL Mitigation mechanism works as follows:
1. The DDoS Protector appliance receives a SYN packet from a client on port 443.
2. DDoS Protector responds with an ACK packet with an invalid Sequence Number field as a
cookie.
3. If the client responds with RST and the cookie, DDoS Protector discards the packet, and adds
the source IP address to the TCP Authentication Table.
4. The DDoS Protector appliance passes the next SYN packet from the same source to the SSL
engine of the specified Alteon platform.
5. The Alteon appliance performs the SSL handshake with the client.
6. The DDoS Protector appliance passes the following HTTPS GET or POST request from the
same source to the SSL engine of the Alteon appliance.
7. The Alteon appliance communicates with the DDoS Protector appliance to generate an
encrypted challenge.
8. The DDoS Protector appliance sends the encrypted HTTPS challenge to the client.
9. The DDoS Protector appliance receives a valid response from the client and considers the
connection to be legitimate.
10. The DDoS Protector appliance adds the source IP address to the HTTP Authentication Table.
11. The DDoS Protector appliance passes the encrypted HTTPS response to the SSL engine of the
Alteon appliance.
12. The Alteon appliance communicates with the DDoS Protector appliance to generate an
encrypted termination message.
13. The next SYN packet from the validated source passes through the DDoS Protector appliance
to the server that is under attack, and DDoS Protector acts as a transparent proxy for the
remainder of the session.
SSL Server IP Address The IPv4 address of the SSL server specified on the Alteon appliance.
Network Policy Name The name of the existing Network Protection rule.
Enable SSL Mitigation Specifies whether the appliance enables the SSL Mitigation mechanism
with an Alteon appliance.
Note: DDoS Protector supports inspection of jumbo frames, however
Alteon cannot handle jumbo frames. Therefore, when the Enable SSL
Mitigation and Inspect Jumbo Frames checkboxes are both selected,
the Alteon appliance will drop packets larger than the Alteon
a
TCP or HTTP authentication phases), even though the packets may
belong to legitimate connections.
Health-Check Port The health-check port (that is, the SNMP Traps port) on the Alteon
appliance.
Parameter Description
Mask SSL Traffic to and Specifies whether all traffic between DDoS Protector and Alteon is
from Alteon masked with the specified 16-character XOR key.
When this option is enabled, the configuration of the Alteon must
include the proper AppShape++ script with the same 16-character key.
For more information on this, contact the Check Point Support Center.
Values: Enable, Disable
Default: Disable
Note: When the Enable masking between DDoS Protector and Alteon
is selected, the AppShape++ script on the Alteon appliance must be
enabled. When this option is disabled, the AppShape++ must be
disabled. Otherwise, no traffic will flow between DDoS Protector and
Alteon.
Masking Key The 16-character XOR key for masking the traffic between DDoS
Protector and Alteon.
Note: Unexpected behavior is likely to occur if the Enable masking
between DDoS Protector and Alteon is selected and the Masking Key
field is empty.
Parameter Description
SSL Mitigation Status Specifies whether the appliance enables the SSL Mitigation
mechanism with an Alteon appliance.
Default: disable
For more information, see the user guide.
Tracking time The time, in seconds, that the appliance tracks the number
of SYN packets directed to same destination. DDoS
Protector uses the value to determine when to activate and
deactivate SYN Protections.
Values: 1 10
Default: 5
Minimum Allowed SYN The minimum time, in seconds, for the SYN-packet
Retransmission Time retransmission in the Safe-Reset authentication mechanism
to consider the retransmission to be valid.
(This parameter is supported only
on x412 platforms.) Values: 2 15
Default: 2
Maximum Allowed SYN The maximum time, in seconds, for the SYN-packet
Retransmission Time retransmission in the Safe-Reset authentication mechanism
to consider the retransmission to be valid.
(This parameter is supported only
on x412 platforms.) Values: 2 15
Default: 4
Attacks
SYN Static Attacks
Predefined SYN Protections, referred to as SYN Static Attacks, are available for the most common
applications: FTP, HTTP, HTTPS, IMAP, POP3, RPS, RTSP, SMTP, and Telnet. The thresholds are
predefined by Check Point.
Use the SYN Protection Static Attack Configuration pane to change the thresholds for these
attacks. You cannot delete SYN Static Attacks.
Note: DDoS Protector x06 models do not support physical-port classification for SYN Protection.
When triggered, all traffic that matches the attacked destination classified by destination IP
address, Layer 4 port number, and optionally a VLAN tag will be challenged, regardless of the
physical port identification. That is, even if the attack is carried out through a specific physical
port, all traffic from all ports that matches the other parameters will be challenged.
Parameter Description
Attack Name A name for easy identification of the attack for configuration and
reporting.
ApplicationPortGroup (Read-only) The group of TCP ports that represent the application that
you want to protect.
Activation Threshold If the average rate of SYN packets received at a certain destination is
higher than this threshold, the protection is activated.
Values: 1 150,000
Default: 2500
Termination Threshold If the average rate of SYN packets received at a certain destination for
the duration of the tracking period drops below this threshold, the
protection is stopped.
Values: 1 150,000
Default: 1500
Risk The risk level assigned to this attack for reporting purposes.
Values:
low
medium
high
Attack Name A name for easy identification of the attack for configuration and
reporting.
ApplicationPortGroup The group of TCP ports that represent the application that you want to
protect.
Activation Threshold If the average rate of SYN packets received at a certain destination is
higher than this threshold, the protection is activated.
Values: 1 150,000
Default: 2500
Termination Threshold If the average rate of SYN packets received at a certain destination for
the duration of the tracking period drops below this threshold, the
protection is stopped.
Values: 1 150,000
Default: 1500
Risk The risk level assigned to this attack for reporting purposes.
Values:
low
medium
high
Profiles
SYN Static Profiles
Use the SYN Profiles pane to create a new SYN Profile. First, you need to create a profile, and then
add the attacks you wish to protect against. The profile may then be included in the SYN Protection
Policy.
SYN Attack From the drop-down list, select the type of attacks to include in this profile.
Authentication The Authentication Method that the appliance uses at the transport layer.
Method
When DDoS Protector is installed in and ingress-only topology, select the
Safe-Reset method.
Values:
transparent-proxy When DDoS Protector receives a SYN packet,
DDoS Protector replies with a SYN ACK packet with a cookie in the
Sequence Number field. If the response is an ACK that contains the
cookie, DDoS Protector considers the session to be legitimate. Then,
DDoS Protector opens a connection with the destination and acts as
transparent proxy between the source and the destination.
safe-reset When DDoS Protector receives a SYN packet, DDoS
Protector responds with an ACK packet with an invalid Sequence
Number field as a cookie. If the client responds with RST and the
cookie, DDoS Protector discards the RST packet, and adds the source
IP address to the TCP Authentication Table. The next SYN packet from
the same source (normally, a retransmit of the previous SYN packet)
passes through DDoS Protector, and the session is approved for the
server. DDoS Protector saves the source IP address for a specified
time.
Default: transparent-proxy
Parameter Description
Authentication The Authentication Method that the appliance uses at the transport layer.
Method
When DDoS Protector is installed in and ingress-only topology, select the
Safe-Reset method.
Values:
transparent-proxy When the appliance receives a SYN packet, the
appliance replies with a SYN ACK packet with a cookie in the Sequence
Number field. If the response is an ACK that contains the cookie, DDoS
Protector considers the session to be legitimate. Then, DDoS Protector
opens a connection with the destination and acts as transparent proxy
between the source and the destination.
safe-reset When DDoS Protector receives a SYN packet, DDoS
Protector responds with an ACK packet with an invalid Sequence
Number field as a cookie. What happens next differs slightly depending
on the platform (see note1 below), but includes DDoS Protector adding
the source IP address to the TCP Authentication Table. Finally, the next
SYN packet from the same source (normally, in the case of non-x412
platforms, a retransmit of the previous SYN packet) passes through
DDoS Protector, and the session is approved for the server. DDoS
Protector saves the source IP address for a specified time. Typically,
you specify this method when the network policy handles only ingress
traffic.
Default: transparent-proxy
HTTP Authentication Specifies whether the appliance authenticates the transport layer of HTTP
traffic using SYN cookies and then authenticates the HTTP application
layer using the specified HTTP Authentication Method.
Values:
enable The appliance authenticates the transport layer of HTTP
traffic using SYN cookies and then authenticates the HTTP application
layer using the specified HTTP Authentication Method.
disable The appliance handles HTTP traffic using the specified TCP
Authentication Method.
Default: disable
Parameter Description
HTTP Authentication The method that the profile uses to authenticates HTTP traffic at the
method application layer.
Values:
Redirect The appliance authenticates HTTP traffic using a
302-Redirect response code.
JavaScript The appliance authenticates HTTP traffic using a
JavaScript object generated by the appliance.
Advanced JavaScript DDoS Protector authenticates HTTP traffic
using an obfuscated and polymorphic challenge, which can overcome
advanced attack tools.
Default: Redirect
Note: The Cloud Authentication option is not relevant for DDoS Protector,
and selecting it may cause unexpected results.
Some attack tools are capable of handling 302-redirect responses. The
HTTP Redirect HTTP Authentication Method is not effective against attacks
that use those tools. The JavaScript HTTP Authentication Method requires
an engine on the client side that supports JavaScript, and therefore, the
JavaScript option is considered stronger. However, the JavaScript option
has some limitations, which are relevant in certain scenarios.
Limitations when using the JavaScript HTTP Authentication Method:
If the browser does not support JavaScript calls, the browser will not
answer the challenge.
When the protected server is accessed as a sub-page through another
(main) page only using JavaScript, the user session will fail (that is, the
browser will not answer the challenge.) For example, if the protected
server supplies content that is requested using a JavaScript tag, the
DDoS Protector JavaScript is enclosed within the original JavaScript
block. This violates JavaScript rules, which results in a challenge
failure.
Example: The request in bold below accesses a secure server:
<script>
setTimeout(function(){
var js=document.createElement("script");
js.src="http://mysite.site.com.domain/service/appMy.j
sp?dlid=12345";
document.getElementsByTagName("head")[0].appendChild(
js);
},1000);
</script>
The returned challenge page contains the <script> tag again, which is
illegal, and therefore, it is dropped by the browser without making the
redirect.
Parameter Description
TCP-Reset Status Specifies whether DDoS Protector uses the TCP-Reset method ("TCP
Reset" on page 150) for HTTP, HTTPS, SMTP, and custom-protocol traffic
instead of the specified Authentication Method (Transparent Proxy or
Safe-Reset).
Check Point recommends enabling this option in symmetric and
ingress-only environments that include HTTP, HTTPS, and SMTP traffic.
Default: Disabled
TCP Reset
Check Point recommends enabling the TCP-Reset option in symmetric and ingress-only
environments that include HTTP, HTTPS, and SMTP traffic.
Note: When DDoS Protector implements the TCP-Reset mechanism, according to the relevant
RFCs (for HTTP, HTTPS, and SMTP), a new connection must be initiated automatically when the
original connection is reset (in this case, by the TCP-Reset mechanism). For browsers that fully
comply with this aspect of the RFCs, the connection will be re-initiated automatically, and the user
will experience a delay of approximately three seconds with no additional latency expected during
the authentication period. (The authentication period is determined by the TCP Authentication
Table Aging parameter, which, by default, is 20 minutes). For browsers that do not fully comply
with this aspect of the RFCs, legitimate users will receive a notification that the connection is
reset and will need to manually retry the connection. After the retry, the users will be able to
browse with no additional latency expected during the authentication period.
When the TCP-Reset Status is enable, DDoS Protector uses the TCP-Reset authentication method
for HTTP, HTTPS, SMTP, and custom-protocol traffic instead of the specified Authentication
Method (Transparent Proxy or Safe Reset).
Custom-protocol refers to traffic that you define for the TCP-Reset method to handle. To enable
you to do this, DDoS Protector exposes two, system-defined Application Port Groups:
TCPReset-ACK and TCPReset-Data. These Application Port Groups are dummy groups, which are
defined with Layer 4 port 0 (zero).
When DDoS Protector implements the TCP-Reset method, DDoS Protector tries to match packets
to a relevant Application Port Group according to the following order:
1. HTTP
2. HTTPS
3. SMTP
4. TCPReset-Data
5. TCPReset-ACK
DDoS Protector handles packets in a session according to the first packet that matched one of the
relevant Application Port Groups.
When the TCP-Reset option is enabled, DDoS Protector does the following:
1. When it receives a SYN packet, DDoS Protector replies with a SYN-ACK packet with a cookie in
the Sequence Number field using the original destination IP address and MAC, without any
additional authentication parameters (cookies).
e) Click Set.
f) Select Classes > Update Policies and click Set.
2. Configure a SYN Protection profile as follows:
a) Configure a SYN Protection for the SYN Protection Profile in the previous step, and, in the
ApplicationPortGroup text box, type TCPReset-ACK or TCPReset-Data as you require.
b) Click Set.
Out-of-State
Out-of-State Global Parameters
Out of State Protection detects out-of-state packets to provide additional protection for
application-level attacks.
Parameter Description
StartUp Timer When the selected Startup Mode is Graceful, this parameter specifies the
time, in seconds, after startup or reboot, that the DDoS Protector delays
Out-of-State Protection actions and only registers all sessions in the
Session table, including sessions whose initiation was not registered (for
example, SYN with TCP). After this time, DDoS Protector drops new
sessions whose initiation was not registered (for example, SYN with TCP).
Values: 0 65,535
Default: 1800
Out-of-State Profiles
Out of State Protection detects out-of-state packets to provide additional protection for
application-level attacks.
Note: In cases of overlapping network policies configured with Out-of-State profiles, attacks
triggered on both policies are reported twice, once per policy. Therefore, there might be some
inconsistencies in the DDoS Protector counter values for discarded traffic.
DDoS Protector x06 platforms use two CPUs to handle the activation and termination of Out of
State protection. DDoS Protector issues an Occurred trap when half the threshold is reached on
one CPU, and DDoS Protector does not issue Start or Term (terminated) traps. There is a small
chance that DDoS Protector will report Out-of-State security events even if the specified
thresholds have not been reached.
Parameter Description
Activation Threshold The rate, in PPS, of out-of-state packets above which the profile
considers the packets to be part of a flood attack. When the appliance
detects an attack, it issues an appropriate alert and drops the
out-of-state packets that exceed the threshold. Packets that do not
exceed the threshold bypass the DDoS Protector appliance.
Values: 1 250,000
Default: 5000
Termination The rate, in PPS, of out-of-state packets below which the profile
Threshold considers the flood attack to have stopped, and the appliance resumes
normal operation.
Values: 1 250,000
Default: 4000
Packet Trace status Specifies whether the profile sends out-of-state packets to the specified
physical port.
Values: enable, disable
Default: disable
Profile Risk The risk for reporting purposes assigned to the attack that the
profile detects.
Values: info, low, medium, high
Default: low
Parameter Description
Profile Action The action that the profile takes when it encounters out-of-state packets.
Values: Block and Report, Report Only
Default: Block and Report
Connection Limit
Connection Limit Profiles
Use the Connection Limit Profiles pane to create Connection Limit profiles.
Connection Limit profiles contain attack definitions for groups of TCP or UDP application ports.
DDoS Protector counts the number of TCP connections, or UDP sessions, opened per client, per
server, or per client plus server combination, for traffic that matches a Connection Limit policy
attack definition. Once the number of connections per second reaches the specified threshold, any
session/connection over the threshold is dropped, unless the action mode defined for this attack is
Report Only.
You can also define whether to suspend the source IP address, dropping traffic from this source
for a number of seconds according to the Suspend table parameters.
Recommended settings for policies that include Connection Limit profiles:
Configure policies containing Connection Limit profiles using Networks only with source = Any,
the public network, and destination = Protected Network. You can define segments using VLAN
tag, MPLS RDs, and physical ports.
It is not recommended to define networks when the Source and Destination are set to any.
Policies containing Connection Limit profiles can be configured with Direction set to either
oneway or twoway.
Before you configure a Connection Limit profile, ensure the following:
Connection Limit protection is enabled.
The Session table Lookup Mode is Full Layer 4.
(Recommended) The required Connection Limit attacks are configured.
A Connection Limit profile should include all the Connection Limit Attacks that you want to apply
in a network protection policy.
Connection Limit Attacks are also referred to as Connection Limit protections.
Attack Name A descriptive name for easy identification of the attack in configuration
and reporting.
Destination App. Port A group of Layer4 ports that represent the application you want to
protect.
Threshold The maximum number of new TCP connections, or new UDP sessions,
per second, allowed for each source, destination or
source-and-destination pair. All additional sessions are dropped. When
the threshold is reached, attacks are identified and a security event
generated.
Default: 5
Parameter Description
Packet Report Specifies whether to enable logging a copy of the filtered packet.
Default: disable
Parameter Description
Suspend Action Specifies which session traffic the appliance suspends for the attack
duration.
Values:
None Suspend action is disabled for this attack.
SrcIP All traffic from the IP address identified as the source of this
attack is suspended.
SrcIP\, DestIP Traffic from the IP address identified as the source
of this attack to the destination IP address under attack is suspended.
SrcIP\, DestPort Traffic from the IP address identified as the
source of this attack to the application (Destination port) under attack
is suspended.
SrcIP\, DestIP\, DestPort Traffic from the IP address identified as
the source of this attack to the destination IP address and port under
attack is suspended.
SrcIP\, DestIP\, SrcPort\, DestPort Traffic from the IP address and
port identified as the source of this attack to the destination IP
address and port under attack is suspended.
Default: None
When Tracking Type is Target Count, the Suspend Action can only be
None.
Packet Trace Specifies whether the DDoS Protector appliance sends attack packets to
the specified physical port.
PPS
PPS Limit Profiles
PPS Limit profiles (also referred to as Connection PPS Limit profiles) defend against attacks that
flood established TCP connections (not necessarily many connections) with a high PPS rate of
legitimate or non-legitimate packets.
You can configure up to 50 PPS Limit profiles on a DDoS Protector appliance.
Before you configure a PPS limit profile, ensure the following:
The Session table Lookup Mode is Full Layer 4.
(Recommended) The required PPS Limit attacks (that is attack protections) are configured.
A PPS Limit profile should contain all the PPS Limit attack protections that you want to apply in a
Network Protection policy.
3. In the PPS Limiting Profile text box, type the name of the PPS Limit profile.
4. From the PPS Limit Attack drop-down list, select a PPS attack protection to include in the
profile.
5. Click Set.
PPS Attacks
Use the PPS Attacks pane to define a PPS Limit Attack.
Configure PPS Limit attacks (that is, attack protections) to add to PPS Limit profiles for network
protection.
PPS Limit Attacks are also referred to as PPS Limit protections.
Attack Name Descriptive name for easy identification when configuring and
reporting.
Destination App. Port The group of Layer 4 ports representing the application you want to
protect.
Values:
The name of an Application Port Group class displayed under
the Appl. Port Groups
An application-port number
Empty (specifies all ports)
Note: When the field is empty, no matter which port the traffic is
destined, as soon as the traffic exceeds the Activation Threshold,
DDoS Protector applies the specified Action Mode.
Parameter Description
Activation Threshold The PPS threshold on a single connection that activates the
protection after the specified Activation Period.
Values: 1 4,294,967,295
Default: 10,000
Termination Threshold The PPS threshold on all the connections that deactivates the
protection after the Termination Period. That is, when the PPS
rate falls below the specified threshold on all the connections,
DDoS Protector considers the attack to have ended after the
Termination Period.
Values: 1 4,294,967,295
Default: 9000
The Termination Threshold must be less than or equal to the
Activation Threshold.
Drop threshold The PPS rate that the protection allows on the connections during
an attack. DDoS Protector drops packets exceeding the specified
Drop Threshold.
Values: 1 4,294,967,295
Default: 0
Action Mode The action that DDoS Protector takes when an attack is detected.
Values: report-only, drop
Default: drop
Activation Period The time, in seconds, after the PPS rate on a connection has
exceeded the Activation Threshold, that DDoS Protector considers
a PPS attack to have started and starts the configured protection
measures.
Values: 1 120
Default: 5
Parameter Description
Term Period The time, in seconds, after the PPS rate on a connection has fallen
below the Termination Threshold, that DDoS Protector considers a
PPS attack to have ended.
Values: 1 120
Default: 2
Packet Trace Specifies whether the DDoS Protector appliance sends attack
packets to the specified physical port.
Values: enable, disable
Default: disable
Note: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled. In addition, a change to
this parameter takes effect only after you update policies.
HTTP Mitigator
HTTP Mitigator Global Setting
The HTTP Mitigator detects and mitigates HTTP request flood attacks to protect Web servers. The
HTTP Mitigator collects and builds a statistical model of the protected server traffic, and then,
using fuzzy logic inference systems and statistical thresholds, detects traffic anomalies and
identifies the malicious sources.
Protection Status Specifies whether the HTTP Mitigator is enabled on the appliance.
HTTP flood protection must be enabled to set HTTP flood
protection parameters.
Default: enable
Learning period before The time, in days, the HTTP Mitigator takes to collect the data
activation needed to establish the baseline that HTTP Mitigation uses.
Values: 0 65,536
Default: 7
Parameter Description
Parameter Description
Sensitivity Specifies how sensitive the profile is to deviations from the baseline. High
specifies that the profile identifies an attack when the appliance detects
only a small deviation from the baselines.
Values:
minor
low
medium
high
Default: medium
Action The action that the profile takes when the profile detects suspicious traffic.
Values:
Block and Report Blocks and reports on the suspicious traffic.
Report Only Reports the suspicious traffic.
Default: Block and Report
Packet Report Specifies whether the profile sends samples of attack packets for off-line
analysis.
Default: Enabled
Packet Trace Specifies whether the profile sends attack packets to the specified physical
port.
Values: enable, disable
Default: disable
A change to this parameter takes effect only after you update policies.
Parameter Description
Mitigation Failure The number of automatic attempts that the appliance makes before
Condition announcing an anomaly state, meaning the appliance cannot
mitigate the attack.
Values: 1 100
Default: 3
Clear Authentication List Specifies whether the appliance clears the authentication table
On Negative Feedback (which is a white list) every time a challenge state fails to block the
attack.
Values: enable, disable
Default: disable
Parameter Description
Sensitivity When User-Defined Attack Triggers are not used, this parameter
specifies how sensitive the profile is to deviations from the baseline.
High specifies that the profile identifies an attack when the
appliance detects only a small deviation from the baselines.
Values:
minor
low
medium
high
Default: medium
Action The action that the profile takes when the profile detects suspicious
traffic.
Values:
Block and Report Blocks and reports on the suspicious traffic.
Report Only Reports the suspicious traffic.
Default: Block and Report
Packet Report Specifies whether the profile sends samples of attack packets for
off-line analysis.
Default: Enabled
User Defined Attack Specifies whether the profile sends samples of attack packets for
Triggers off-line analysis.
Default: Enabled
Get and POST The maximum number of GET and POST requests allowed, per
Request-Rate Trigger server per second.
Values:
0 The profile ignores the threshold.
1 4,294,967,296
Default: 0
Parameter Description
Other Request-type The maximum number of requests that are not GET or POST (for
Request-Rate Trigger example, HEAD, PUT, and so on) allowed, per server per second.
Values:
0 The profile ignores the threshold.
1 4,294,967,296
Default: 0
Note: If Outbound HTTP BW Trigger is enable and Other
Request-type Request-Rate Trigger is disable, an attack consisting
of other (that is, not GET or POST) requests may cause high
outbound HTTP bandwidth consumption. An attack consisting of
other (that is, not GET or POST) requests may cause high outbound
HTTP bandwidth consumption also if Outbound HTTP BW Trigger is
enable and Other Request-type Request-Rate Trigger is enable too
but the rate does not exceed the threshold. The high outbound HTTP
bandwidth consumption may cause the Outbound HTTP BW Trigger
mechanism to consider the attack to be an anomaly, and the profile
will not mitigate it.
Outbound HTTP BW Trigger The maximum allowed bandwidth, in kilobits per second, of HTTP
responses.
Values:
0 The profile ignores the threshold.
1 4,294,967,296
Default: 0
Parameter Description
Request-Rate Threshold The number of HTTP requests per second from a source that
causes the profile to consider the source to be suspicious.
Values: 1 65,535
Default: 5
Request-per-Connection The number of HTTP requests for a connection that causes the
Threshold profile to consider the source to be suspicious.
Values: 1 65,535
Default: 5
Packet Trace Specifies whether the profile sends attack packets to the specified
physical port.
Values: enable, disable
Default: disable
A change to this parameter takes effect only after you update
policies.
Source Challenge Status Specifies whether the profile challenges HTTP sources that match
the real-time signature.
Values: enable, disable
Default: enable
Collective Challenge Status Specifies whether the profile challenges all HTTP traffic toward the
protected server.
Values: enable, disable
Default: enable
Source Blocking Status Specifies whether the profile blocks all traffic from the suspect
sources.
Values: enable, disable
Default: enable
Parameter Description
Challenge Mode Specifies how the profile challenges suspect HTTP sources.
Values:
HTTP Redirect The appliance authenticates HTTP traffic using
a 302-Redirect response code.
JavaScript The appliance authenticates HTTP traffic using a
JavaScript object generated by the appliance.
Advanced JavaScript DDoS Protector authenticates HTTP
traffic using an obfuscated and polymorphic challenge, which
can overcome advanced attack tools.
Default: HTTP Redirect
Note: The Cloud Authentication option is not relevant for DDoS
Protector, and selecting it may cause unexpected results.
Some attack tools are capable of handling 302-redirect responses.
The HTTP Redirect Challenge Mode is not effective against attacks
that use those tools. The JavaScript Challenge Mode requires an
engine on the client side that supports JavaScript, and therefore,
the JavaScript option is considered stronger. However, the
JavaScript option has some limitations, which are relevant in
certain scenarios.
Limitations when using the JavaScript Challenge Mode:
If the browser does not support JavaScript calls, the browser
will not answer the challenge.
When the protected server is accessed as a sub-page through
another (main) page only using JavaScript, the user session will
fail (that is, the browser will not answer the challenge.) For
example, if the protected server supplies content that is
requested using a JavaScript tag, the DDoS Protector JavaScript
is enclosed within the original JavaScript block. This violates
JavaScript rules, which results in a challenge failure.
Example: The request in bold below accesses a secure server:
<script>
setTimeout(function(){
var js=document.createElement("script");
js.src="http://mysite.site.com.domain/service
/appMy.jsp?dlid=12345";
documentational"head")[0].appends);
},1000);
</script>
The returned challenge page contains the <script> tag again,
which is illegal, and therefore, it is dropped by the browser
without making the redirect.
Parameter Description
Other Requests Decision Specifies whether the profile identifies an HTTP flood attack when
Engine the rate of requests that are not GET or POST requests exceeds the
learned baseline.
Values: enable, disable
Default: enable
Note: If Outbound BW Decision Engine is enable and Other
Requests Decision Engine is disable, an attack consisting of other
(that is, not GET or POST) requests may cause high outbound HTTP
bandwidth consumption. An attack consisting of other (that is, not
GET or POST) requests may cause high outbound HTTP bandwidth
consumption also if Outbound BW Decision Engine is enable and
Other Requests Decision Engine is enable too but the rate does not
exceed the threshold. The high outbound HTTP bandwidth
consumption may cause the Outbound HTTP Bandwidth mechanism
to consider the attack to be an anomaly, and the profile will not
mitigate it.
Requests per source Specifies whether the profile identifies an HTTP flood attack when
Decision Engine the rate of requests per source exceeds the learned baseline.
Values: enable, disable
Default: enable
Get and POST global Specifies whether the profile identifies an HTTP flood attack when
requests Decision Engine the rate of GET and POST requests exceeds the learned baseline.
Values: enable, disable
Default: enable
Outbound BW Decision Specifies whether the profile identifies an HTTP flood attack when
Engine the outbound HTTP bandwidth exceeds the learned baseline.
Values: enable, disable
Default: enable
Requests per connection Specifies whether the profile identifies an HTTP flood attack when
Decision Engine the rate of requests per connection exceeds the learned baseline.
Values: enable, disable
Default: enable
Authentication Tables
DNS Authentication Table
The DNS authentication table holds the DNS source addresses.
Authentication table status Specifies whether the appliance uses the DNS authentication
table (which is a white list) during a DNS challenge state.
Values: enable, disable
Authentication table aging The time, in minutes, that the appliance keeps idle sources in the
DNS Authentication table.
Values: 1 60
Default: 20
You can enter a value even if DNS Flood Protection is not enabled,
and the value will persist.
Authentication table aging The time, in seconds, that the appliance keeps idle sources in
the TCP Authentication table.
Values: 60 3600
Default: 1200
Authentication table utilization (Read-only) The percentage of the table that is currently full.
Authentication table aging The time, in seconds, that the appliance keeps idle sources in
the HTTP Authentication table.
Values: 60 3600
Default: 1200
Authentication table utilization (Read-only) The percentage of the table that is currently full.
To monitor the TCP Contender table utilization and clean the table:
1. Select DDoS Protector > Authentication table > TCP-Contender.
2. To clean the table, select Clean Table, and click Set.
Anti-Scanning Very Slow Scans Specifies whether Anti-Scanning Protection blocks slow
scans, which can result in very long blocking periods.
When enabled, Anti-Scanning Protection adapts the
blocking interval based on the scanner-activity frequency.
Thus, the appliance will detect the scanner activity again
before the blocking duration elapses. The blocking
duration is calculated as the time between scanning
events multiplied by the Attack Trigger value.
It is recommended to use this option only in exceptional
circumstances, when one scan attempt in 20 minutes is
considered a security threat.
Default: Disabled
Parameter Description
Anti-Scanning Maximal Blocking The maximum time, in seconds, that the Anti-Scanning
Duration Protection blocks the source of a scan if that source
continues to scan the network.
Values: 20 3600
Default: 80
This setting overrides the maximum time set in the
suspend table parameters.
Anti-Scanning Profiles
Use the Anti-Scanning Profiles pane to create a profile and to activate the protocols to be used in
the profile, which include: TCP, UDP, and ICMP.
You can configure up to 20 Anti-Scanning profiles on a DDoS Protector appliance.
The following describes the recommended settings for rules that include Anti-Scanning profiles:
Configure policies containing Anti-Scanning profiles using Networks with Source = Any, the
public network and Destination = Protected Network. This assures optimized attack
detection sensitivity. You can set policies using a VLAN tag, MPLS RD, or physical ports.
It is not recommended to define a network in which the Source and Destination are set to Any,
because it results in lower detection sensitivity.
When the Direction of a policy is set to One Way, DDoS Protector prevents incoming attacks
only. When the Direction of a policy is set to Two Way, the appliance prevents both incoming
and outgoing attacks. In either case, the appliance inspects incoming and outgoing traffic for
connection scoring.
Before you configure an Anti-Scanning profile, ensure the following:
The Session table Lookup Mode is Full Layer 4.
Anti-scanning protection is enabled and the global parameters are configured.
TCP State Specifies whether the profile protects against horizontal and vertical TCP
scans, including worm propagation activity, over TCP.
Values: active, inactive
Default: active
UDP State Specifies whether the profile protects against horizontal and vertical UDP
scans, including worm propagation activity, over UDP.
Values: active, inactive
Default: active
ICMP State Specifies whether the profile protects against ping sweeps.
Values: active, inactive
Default: active
Sensitivity The level of sensitivity to scanning activities before the profile activates
Anti-Scanning protection. High means few scanning attempts trigger the
Anti-Scanning protection, whereas Very Low means a high number of
scanning attempts trigger the Anti-Scanning protection.
Values: high, medium, low, very low
Default: low
Parameter Description
Accuracy The accuracy level that determines the minimum number of parameters
used in the footprint. The higher the accuracy, the more parameters
required to appear in the footprint. If DDoS Protector is unable to find a
footprint with the minimum number of parameters for the specified
accuracy level, DDoS Protector does not block the attack. Higher accuracy
means that more parameters are required to appear in the footprint.
Values:
low Any footprint is allowed (including source IP address only).
medium A footprint requires at least two attack-source parameters
using the Boolean AND operator.
high A footprint requires at least three attack-source parameters
using the Boolean AND operator.
Default: medium
SinglePort Specifies whether the DDoS Protector appliance only blocks scans that
are done on a single L4 port. Scans on a single L4 port are usually
network worms. When enabled, DDoS Protector does not block scans that
are done from the same source on multiple L4 ports.
Values: enable, disable
Default: disable
Packet Trace Status Specifies whether the profile sends attack packets to the specified
physical port.
Values: enable, disable
Default: disable
State Specifies whether the policy is active. You can select inactive to
deactivate the policy without removing it from the list.
Values: active, inactive
Default: active
Parameter Description
PhysicalPortGroup The Physical Port class or physical port that the policy uses.
Values:
A Physical Port class
The physical ports on the appliance
VLANTag The VLAN Tag class that the policy uses.
Values: A VLAN Tag class
Direction The direction of the traffic to which the policy relates. This parameter
relates to L4 sessions only.
Values:
one-direct The protection applies to sessions originating from
sources to destinations that match the network definitions of the
policy.
bi-direct The protection applies to sessions that match the
network definitions of the policy regardless of their direction.
Default: one-direct
Action TBD just noticed this is in the table, but there is no configuration for it,
and it is missing from the documentation April 2014.
ReportAction TBD just noticed this is in the table, but there is no configuration for it,
and it is missing from the documentation April 2014. This maybe should
not be in CPDP.
Parameter Description
All Modules Bypass Specifies whether the policy includes all specific protection modules.
Values:
active The specified Classification criteria determine the traffic
that is exempt from security inspection.
inactive The specified source (that is, the source Network class or
source IP address) and specified protection modules determine the
traffic that is exempt from security inspection.
Default: active
Performance is better when All Modules Bypass is active rather than
having the having the modules enabled individually.
SYN Protection Bypass When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses SYN Protection
inspection.
Values: active, inactive
Default: active
Anti-Scanning Bypass When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses Anti-Scanning inspection.
Values: active, inactive
Default: active
Signature Protection When enabled, traffic from the specified source (that is, the source
Bypass Network class or source IP address) bypasses Signature Protection
inspection.
Values: active, inactive
Default: active
HTTP Mitigator Bypass When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses HTTP Flood inspection.
Values: active, inactive
Default: active
Server Cracking When enabled, traffic from the specified source (that is, the source
Bypass Network class or source IP address) bypasses Server Cracking
inspection.
Values: active, inactive
Default: active
Black List
DDoS Protector drops packets that match an active Black List rule. The Black List comprises the
traffic that the appliance always blocks without inspection. You use the Black List as policy
exceptions for security policies. The appliance black-lists packets if all the criteria for the policy
evaluate to true.
This feature is not supported on management interfaces.
You enable or disable the Packet Trace feature for all the Black List rules on the appliance. When
the Packet Trace feature is enabled for Black Lists, the DDoS Protector appliance sends
blacklisted packets to the specified physical port.
State Specifies whether the rule is active. You can select inactive to
deactivate the rule without removing it from the list.
Values: active, inactive
Default: active
Parameter Description
PhysicalPortGroup The Physical Port class or physical port that the rule uses.
Values:
A Physical Port class
The physical ports on the appliance
VLANTag The VLAN Tag class that the rule uses.
Values: A VLAN Tag class
Parameter Description
Direction The direction of the traffic to which the rule relates. This parameter
relates to L4 sessions only.
Values:
one-direct The protection applies to sessions originating from
sources to destinations that match the network definitions of the
rule.
bi-direct The protection applies to sessions that match the
network definitions of the rule regardless of their direction.
Default: one-direct
Report Action The report action that the appliance takes when it encounters a
packet that matches the rule.
Value:
report The appliance issues a trap when it encounters a
blacklisted packet.
no-report The appliance issues no trap when it encounters a
blacklisted packet.
Description The user-defined description for the rule up to 19 characters.
Entry Expiration Timer Specifies the hours and minutes remaining for the rule.
(Hours)
The maximum Expiration Timer is two hours.
Entry Expiration Timer
The Expiration Timer can be used only with dynamic Black List
(Minutes)
rules. The Expiration Timer for a static Black List rule must be set to
0 (zero hours and zero minutes).
When the rule expires (that is, when the Entry Expiration Timer
elapses), the rule disappears from the Black List Policy table when
the table refreshes.
Detector An IP address that can identify the root cause of the black-list rule
identify. This parameter has no affect on the appliance operation.
If a Security Group configured this Black List rule, the Detector
value displays the IP address of the Security Group Sender.
For more information on Security Groups, see the user guide.
Parameter Description
Detector Security Module A DDoS Protector security module that can identify the root cause of
the black list rule. This parameter has no affect on the appliance
operation.
If a Security Group configured this Black List rule, the Detector
Security Module value displays the DDoS Protector security module
of the Security Group Sender.
Values:
Admin The default value in the context of a user-defined,
dynamic Black List rule.
Server Cracking Displays if a Security Group configured this
Black List rule and it was the Server Cracking module of the
Security Group Sender that detected the threat.
Anti-Scan Displays if a Security Group configured this Black
List rule and it was the Anti-Scanning module of the Security
Group Sender that detected the threat.
Vision Reporter
Connection Limit
Application Security
Syn Protection
HTTP Flood
Behavioral DoS
DNS Flood
Default: Admin
For more information on Security Groups, see the user guide.
Black List Packet Report Specifies whether the appliance sends sampled attack packets to
APSolute Vision for off-line analysis.
To avoid performance degradation, DDoS Protector defines black-list and white-list entries as
hardware entries in the DME as much as possible, according to the following logic:
On platforms with no DME, there are no hardware entries. There is no DME in x06 platforms.
On x412 platforms:
The hardware entries are subnets only.
DDoS Protector can treat 800 IPv4 or 400 IPv6 hardware entries in the DME, and treats the rest
as software entries.
Parameter Description
Policies
Network Protection Policies
The Network Protection policy protects your configured networks using protection profiles.
Before you configure Network Protection policy and profiles, ensure that you have enabled all the
required protections and configured the corresponding global protection parameters.
Each Network Protection consists of two parts:
The classification that defines the protected network segment.
The action to be applied when an attack is detected on the matching network segment. The
action defines the protection profiles to be applied to the network segment, and whether the
malicious traffic should be blocked. Malicious traffic is always reported.
Parameter Description
Source Address The source of the packets that the rule uses.
Values:
A Network class configured in the Classes menu
An IP address
any Any IP address
Default: any
Destination Address The destination of the packets that the rule uses.
Values:
A Network class configured in the Classes menu
An IP address
any Any IP address
Default: any
Inbound Physical Port Group The Physical Port class or physical port that the rule uses.
Values:
A Physical Port class configured in the Classes menu
The physical ports on the appliance
None
Note: If you specify a management port or a Physical Port class
with a management port, the Network Protection policy can
support only Signature Protection and BDoS Protection.
Vlan Tag Group The VLAN Tag class that the rule uses.
Values:
A VLAN Tag class configured in the Classes menu
None
State Specifies whether the policy is enabled.
Values: active, inactive
Default: active
Parameter Description
Action The default action for all attacks under this policy.
Values:
Block and Report The malicious traffic is terminated and a
security event is generated and logged.
Report Only The malicious traffic is forwarded to its
destination and a security event is generated and logged.
Default: Block and Report
Signature-specific actions override the default action for the
policy.
Signatures Profile The Signature Protection profile applied to the network segment
defined in this policy.
Connection Limit Profile The Connection Limit profile applied to the network segment
defined in this policy.
Out-Of-State Profile The Out-of-State profile applied to the network segment defined
in this policy.
Behavioral Dos Profile The BDoS profile applied to the network segment defined in this
policy.
SYN Protection Profile The SYN Flood profile applied to the network segment defined in
this policy.
DNS protection Profile The DNS Protection profile applied to the network segment
defined in this policy.
Packet Trace Specifies whether the policy sends attack packets to the specified
physical port.
Values: enable, disable
Default: disable
Packet Trace configuration on Specifies whether the configuration of the Packet Trace feature
policy takes precedence here, on this policy, takes precedence over the configuration of
the Packet Trace feature in the associated profiles.
Values: enable, disable
Default: disable
Note: A change to this parameter takes effect only after you
update policies.
Parameter Description
Packet Report Specifies whether the policy sends sampled attack packets to
APSolute Vision for off-line analysis.
Values: enable, disable
Default: disable
Note: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled.
Anti Scanning Profile The Anti-Scanning profile to be applied to the network segment
defined in this policy.
PPS Profile The Connection PPS Limit profile to be applied to the network
segment defined in this policy.
MPLS RD Group The MPLS route distinguisher (RD) class that the policy uses. The
appliance dynamically associates the MPLS tag value with
configured MPLS RD values installed between P and PE routers
Values:
An MPLS RD class configured in the Classes menu
None
Packet Report configuration Specifies whether the configuration of the Packet Reporting
on policy takes precedence feature here, on this policy takes precedence over the
configuration of the Packet Reporting feature in the associated
profiles.
Values: enable, disable
Default: enable
Quarantine State Specifies whether the appliance quarantines all outbound Web
traffic from internal hosts in the destination segment in the
network policy after matching a signature configured with
Web-quarantine option enabled.
To enable this option, the value for the Direction field must be
twoway.
Values: enable, disable
Default: disable
Service Discovery Profile The Service Discovery profile that the Network Protection policy
uses to identify HTTP servers to protect.
Leave the field empty if you do not want to implement the Service
Discovery (on page 206) feature.
To view statistics relating the user-defined policies to the utilization of the DoS
Mitigation Engine:
Select DDoS Protector > Policies > Resources View.
Note: If any of the following values is close to the maximum, the resources for the appliance are
exhausted.
Total Number of Policies The total number of policies in the context of the DME, which is
double the number of network policies configured in the appliance.
Sub Policies Utilization The percentage of DME resource utilization from the entries of
sub-policies.
In the context of the DME, a sub-policy is a combination of the
following:
Source-IP-address range
Destination-IP-address range
VLAN-tag range
HW Entries Utilization The percentage of resource utilization from the HW entries in the
context of the DME.
Num of HW Entries The number of DME hardware entries that the policy uses.
Num of Sub-Policies The number of DME sub-policy entires that the policy uses.
Policies Import
Use the Network Protection Policies Import pane to import a Network Protection policy.
Import to Instance The identifier or the DDoS Protector hardware instance onto
which to add the template.
Values: Instance 0, Instance 1
Default: Instance 0
Policies Export
Use the Network Protection Policies Export pane to export a Network Protection policy.
You can export and import Network Protection policies. The exported information is referred to as
a template. The template can include the policy configuration (that is, the definitions and security
settings) and/or policy baselines. A template from a Network Protection policy can include the
baselines from the associated DNS and/or BDoS profiles.
Templates do not include the following information:
DDoS Protector setup and network configuration For example, appliance time, physical
ports, and so on.
DDoS Protector User Guide 6.14 | 189
DDoS Protector
DDoS Protector security settings The protections that a policy template uses must be
supported and enabled globally in the target DDoS Protector appliance (that is, the target
DDoS Protector appliance into which you are importing the policy template). For example, if
you export a Network Protection policy that includes a BDoS Protection profile, the DDoS
Protector appliance into which you are importing the policy template must have BDoS
Protection enabled globally (Configuration perspective, Setup > Security Settings > BDoS
Protection > Enable BDoS Protection).
Custom signatures.
policy_<PolicyName>_<DeviceName>__<ddMMyyyy>_<hhmmss>.txt
Example:
policy_MyPol012_MyDevice_19052014_145044.txt
Parameter Description
Configuration Specifies whether DDoS Protector exports the template with the
configuration of the policy.
Default: Enabled
Behavioral DoS Baseline Specifies whether DDoS Protector exports the template with the
current BDoS normal-traffic baseline of the policy.
Default: Enabled
DNS Protection Baselines Specifies whether DDoS Protector exports the template with the
current DNS normal-traffic baseline of the policy.
Default: Enabled
User Signature Profile Specifies whether DDoS Protector exports the template with the
current user-defined signature protection profile of the policy.
Default: Enabled
Policies Delete
Use the Network Protection Policies Delete pane to delete a Network Protection policy and all
associated configuration objects.
Parameter Description
Suspend Table min time The time, in seconds, for which the DDoS Protector appliance
suspends first-time offending source IP addresses.
Default: 10
Suspend Table max time The maximal time, in seconds, for which the DDoS Protector
appliance suspends a specific source. Each time the DDoS
Protector appliance suspends the same source, the
suspension length doubles until it reaches the Maximal Aging
Timeout.
Default: 600
Parameter Description
Suspend Table max same source The number of times the DDoS Protector appliance suspends
entries the same source IP address before the DDoS Protector
appliance suspends all traffic from that source IP address
regardless of the specified Suspend Action. For example, if
the value for this parameter is 4 and the specified Suspend
Action is SrcIP-DstIP-SrcPort-DstPort, the DDoS Protector
appliance suspends all traffic from a source IP address that
had an entry in the Suspend list more than four times, even if
the destination IP address, source port, and destination ports
were different for the previous updates to the Suspend table.
This parameter is irrelevant when the specified Suspend
Action is SrcIP.
Values:
0 The appliance does not implement the feature.
1 10
Default: 0
Parameter Description
Dest IP The IP address to which traffic was suspended (0.0.0.0 means traffic
to all destinations was suspended).
Dest Port The application port to which traffic was suspended (0 means all
ports).
Module The internal, higher-level module that identified the entry in the
Suspend Table.
Classification Object Type The internal, classification-object Type that identified the entry in
the Suspend Table.
Values: Policy, Server Protection
Classification Object Name The internal, lower-level classification module that identified the
entry in the Suspend Table, for example: Connection Limit.
Reporting
Reporting Global Parameters
Use the Reporting Global Parameters pane to enable DDoS Protector reporting channels and set
the polling time parameters of the Alert Table and the Log File.
Report Interval The frequency, in seconds, at which the reports are sent though
the reporting channels.
Values: 1 65,535
Default: 5
Max Alerts per Report The maximum number of attack events that can appear in each
report (sent within the reporting interval).
Values: 1 2000
Default: 1000
Report Per-Attack The number of events for a specific attack during a reporting
Aggregation Threshold interval, before the events are aggregated to a report. When the
number of the generated events exceeds the Aggregation
Threshold value, the IP address value for the event is displayed
as 0.0.0.0, which specifies any IP address.
Values: 1 65,535
Default: 5
SNMP Traps Sending When enabled, the appliance uses the traps reporting channel.
Default: enable
Syslog Sending When enabled, the appliance uses the syslog reporting channel.
Default: disable
Terminal Echo When enabled, the appliance uses the Terminal Echo reporting
channel.
Default: disable
Email Sending When enabled, the appliance uses the e-mail reporting channel.
Default: disable
Parameter Description
SNMP Traps Sending Risk The minimal risk level for the reporting channel. Attacks with the
specified risk value or higher are reported.
Values:
info
low
medium
high
Default: low
Email Sending Risk The minimal risk level for the reporting channel. Attacks with the
specified risk value or higher are reported.
Values:
info
low
medium
high
Default: low
Terminal Echo Risk The minimal risk level for the reporting channel. Attacks with the
specified risk value or higher are reported.
Values:
info
low
medium
high
Default: low
Syslog Sending Risk The minimal risk level for the reporting channel. Attacks with the
specified risk value or higher are reported.
Values:
info
low
medium
high
Default: low
Parameter Description
Syslog Sending Severity The minimal severity for the sending of syslog reports for
appliance-health events and audit events. Events with the
specified severity value or higher are reported. Device-health
events include all events related to appliance health, for
example, temperature, fan failure, CPU, tables, resources, and
so on. Audit events include all events related to user operations,
for example, login attempts and configuration changes.
Values (in order or severity):
debug
info
warning
error
fatal
Default: info
Traps Sending Severity The minimal severity for the sending of traps for
appliance-health and audit events. Events with the specified
severity value or higher are reported. Device-health events
include all events related to appliance health, for example,
temperature, fan failure, CPU, tables, resources, and so on. Audit
events include all events related to user operations, for example,
login attempts and configuration changes.
Values (in order or severity):
debug
info
warning
error
fatal
Default: info
Security Log Status When enabled, the appliance uses the security logging reporting
channel.
Packet Report Global Limit The maximum number of packets that the appliance can send
within the Report Interval.
Values: 1 65,535
Default: 100
Parameter Description
Security Log
Showing Security Logs
All events and alerts are logged in an all-purpose cyclic log file. The log file can be obtained at any
time.
The size of log file is limited. When the number of entries is beyond the permitted limit, the oldest
entries are overwritten. You are notified regarding the status of the log file utilization. The
notifications appear when the file is 80% utilized and 100% utilized.
ID
Physical Port The actual port on the appliance from which the attack arrived. The
value of N/A or 0 in this field indicates that the MPLS RD is not
available.
Vlan Tag The VLAN tag. The value of N/A or 0 in this field indicates that the
MPLS RD is not available.
Parameter Description
MPLS Tag The Multiprotocol Label Switching tag. The value of N/A or 0 in this
field indicates that the MPLS RD is not available.
Service The security service that detected the attack: Application Security,
DoS Shield, Generic.
Policy Name The policy that was used to detect the attack.
Packet Count The number of packets in the attack since the latest trap was sent.
Action Values:
drop The packet is discarded.
proxy The packet is forwarded to the defined destination.
Reset Source Sends TCP-Reset packet to the packet Source
IP.
Reset Destination Sends TCP-Reset packet to the destination
address.
Default Performs the Action Mode that is specified in the
Application Security Global Parameters pane.
Risk How dangerous the attack is.
Values: high, low, medium, info
Packet Trace
Use the following procedure to configure the packet trace parameters.
Enable Packet Trace Specifies whether the feature is disabled or enables the feature and
on Physical Port specifies the physical port to which the DDoS Protector appliance sends
identified attack traffic (when the Packet Trace feature is enabled in the
policy or profile).
Values:
none The Packet Trace feature is disabled.
The physical, inspection ports (that is, excluding the management ports)
Default: none
Note: A change to this parameter takes effect only after you update
policies.
DDoS Protector x06 models support the Packet Trace functionality only
for dropped traffic.
Max Packet Rate The maximum number of packets per second that the Packet Trace
feature sends.
Values: 1 200,000
Default: 50,000
Note: A change to this parameter takes effect only after you update
policies.
Packet Length The maximum length, in bytes, of dropped packets that the Packet Trace
feature sends. DDoS Protector can limit the size of Packet Trace sent
packets only for dropped packets. That is, when a rule is configured with
Report Only (as opposed to Block), the Packet Trace feature sends the
whole packets.
Values: 64 1550
Default: 1550
Note: A change to this parameter takes effect only after you update
policies.
If you are interested only in the packet headers of the dropped packets,
to conserve resources, modify the minimal value, 64.
Attack Database
Attack Database Version
The read-only Attack Database Version pane shows the version of the current attack database.
Risk The risk associated with the trap for the specific anomaly.
Values: Info, Low, Medium, High
Default: Info
Action The action that the appliance takes when the packet anomaly is detected. The
action is only for the specified packet-anomaly protection.
Values:
block The appliance discards the anomalous packets and issues a trap.
report The appliance issues a trap for anomalous packets. If the Report
Action is Process, the packet goes to the rest of the appliance modules. If
the Report Action is Bypass, the packet bypasses the rest of the appliance
modules.
no-report The appliance issues no trap for anomalous packets. If the
Report Action is Process, the packet goes to the rest of the appliance
modules. If the Report Action is Bypass, the packet bypasses the rest of the
appliance modules.
Parameter Description
Report Action The action that the DDoS Protector appliance takes on the anomalous packets
when the specified Action is report or no-report. The Report Action is only for
the specified packet-anomaly protection.
Values:
bypass The anomalous packets bypass the appliance.
process The DDoS Protector modules process the anomalous packets. If
the anomalous packets are part of an attack, DDoS Protector can mitigate
the attack.
You cannot select process for the following packet-anomaly protections:
104 Invalid IP Header or Total Length
107 Inconsistent IPv6 Headers
131 Invalid L4 Header Length
Unrecognized L2 Format Packets with more than two VLAN tags, L2 broadcast, or L2
multicast traffic.
(This anomaly is available
only on x412 platforms. This ID: 100
anomaly cannot be
Default Action: No Report
sampled.)
Default Report Action: Process
Default Risk: Low
Incorrect IPv4 Checksum The IP packet header checksum does not match the packet header.
(This anomaly is available ID: 103
only on x412 platforms. This
Default Action: Drop
anomaly cannot be
sampled.) Default Report Action: Process
Default Risk: Low
Invalid IPv4 Header or Total The IP packet header length does not match the actual header
Length length, or the IP packet total length does not match the actual
packet length.
ID: 104
Default Action: Drop
Report Action: Bypass
Default Risk: Low
Anomaly Description
TTL Less Than or Equal to 1 The TTL field value is less than or equal to 1.
ID: 105
Default Action: Report
Default Report Action: Process
Default Risk: Low
IPv6 Hop Limit Reached IPv6 hop limit is not greater than 1.
ID: 108
Default Action: Report
Default Report Action: Process
Default Risk: Low
Invalid TCP Flags The TCP flags combination is not according to the standard.
ID: 113
Default Action: Drop
Default Report Action: Process
Default Risk: Low
Source or Dest. Address The IP packet source address or destination address is equal to the
same as Local Host local host.
ID: 119
Default Action: Drop
Default Report Action: Process
Default Risk: Low
Anomaly Description
Source Address same as The source IP address and the destination IP address in the packet
Dest Address (Land Attack) header are the same. This is referred to as a LAND, Land, or LanD
attack.
ID: 120
Default Action: Drop
Default Report Action: Process
Default Risk: Low
L4 Source or Dest. Port Zero The Layer 4 source port or destination port equals zero.
ID: 125
Default Action: Drop
Default Report Action: Process
Default Risk: Low
Invalid L4 Header Length The length of the Layer 4, TCP/UDP/SCTP header is invalid.
ID: 131
Default Action: Drop
Report Action: Bypass You cannot select Process for this
packet-anomaly protection.
Default Risk: Low
Broadcast Destination MAC The L2 destination MAC is all F values that is, 0xFFFFFFFFFFFF.
Address
ID: 132
Default Action: No Report
Default Risk: Low
Report Action: Process
Multicast Destination MAC The L2 destination MAC has multicast values that is, a
Address destination MAC address where the low-order bit of the first byte is
set.
ID: 133
Default Action: No Report
Default Risk: Low
Report Action: Process
Service Discovery
Service Discovery Global Parameters
Use the Service Discovery feature in a Network Protection policy to identify HTTP servers in a
specified network and protect the discovered servers with the default HTTP-flood-mitigator
profile.
The Service Discovery mechanism discovers HTTP servers by identifying HTTP responses.
Therefore, in order to use Service Discovery, the DDoS Protector appliance needs to be in a
topology where it can inspect both HTTP requests and HTTP responses.
The details of the discovered servers are contained in the Server Protection table.
When a discovered server is no longer active for a specified period, the Service Discovery
mechanism can remove the server from the table.
To implement the Service Discovery feature, when you configure a Network Protection policy, you
specify the Service Discovery profile to use in the policy.
Note: The Service Discovery mechanism does not create audit events when adding or removing
servers.
Mechanism Status Specifies whether the DDoS Protector appliance uses Service Discovery
feature.
Values: enable, disable
Default: enable
Tracking Time The time, in minutes, that the Service Discovery mechanism tracks a
server sending HTTP responses. The Service Discovery mechanism uses
the Tracking Time and the specified number of HTTP responses during
the Tracking Time to determine whether to protect the server.
Values: 1- 60
Default: 5
Revalidation Time Specifies how often, in days, the Service Discovery mechanism
revalidates the discovered servers.
Values:
1 365
disable Once identified, the Service Discovery mechanism never
revalidates a server to protect.
Default: 7
Responses per Minute The average number of HTTP responses per minute during the Tracking
Time (specified globally) that causes the Service Discovery mechanism
to protect the server. If the total value is reached before the Tracking
Time elapses (Responses per Minute × Tracking Time), the Service
Discovery mechanism adds the server to the Server Protection table
immediately.
Values: 1 5000
Default: 100
Automatic Removal Specifies whether the Service Discovery mechanism removes the server
from the Server Protection table if, after the Revalidation Time, the
server does not meet the Tracking-Time-Responses-per-Minute
criteria.
Values: Yes, No
Default: No
Security
In This Section:
Management Ports .....................................................................................................209
Ports Access ...............................................................................................................209
SNMP ...........................................................................................................................210
Ping Physical Ports Table ..........................................................................................216
Users ...........................................................................................................................216
Certificates ..................................................................................................................218
Management Ports
Use the Management Ports Table pane to enable or disable access to a management port.
Ports Access
You can specify how unbound UDP and TCP ports respond to SYN packets.
SNMP
SNMP Global Parameters
DDoS Protector can work with SNMPv1, SNMPv2, and SNMPv3.
Use the SNMP Global Parameters pane to configure the SNMP global parameters.
Supported SNMP Version After The SNMP versions that will be supported by the SNMP agent
Reset after resetting the appliance. Select the checkboxes of the
SNMP version to support.
SNMP Ports The UDP port on which the agent listens for SNMP requests.
Parameter Description
Security Name The user name associated with the community string.
Transport Tag Specifies a set of target addresses from which the SNMP accepts SNMP
requests and to which traps may be sent. The target addresses identified by
this tag are defined in the Target Address table. If this string is empty,
addresses are not checked when an SNMP request is received or when a
trap is sent. If this string is not empty, the transport tag must be contained in
the value of the Tag List of at least one entry in the Target Address table.
Parameter Description
WriteView Name The name of one or more entries in the View Tree Family Table. Specifies
which objects in the MIB tree are writable by this group.
NofifyView Name The name of one or more entries in the View Tree Family Table. Specifies
which objects in the MIB tree can be accessed in notifications (traps) by this
group.
Type Specifies whether objects defined in this entry should be included or excluded
in the MIB view.
Default: included
Name A descriptive name for this entry; for example, the type of notification.
Tag A string that defines the target addresses that are sent with this notification. All
target addresses that have this tag in their tag list are sent with this
notification.
Security Model The SNMP version that represents the required Security Model.
Security models are predefined sets of permissions that can be used by the
groups. These sets are defined according to the SNMP versions. By selecting
the SNMP version for this parameter, you determine the permissions set to be
used.
Values:
SNMPv1
SNMPv2c
User Based That is, SNMPv3
Default: SNMPv1
Security Name If the User Based security model is used, the security name identifies the user
that is used when the notification is generated. For other security models, the
security name identifies the SNMP community used when the notification is
generated.
Security Level Specifies whether the trap is authenticated and encrypted before it is sent.
Values:
noAuthNoPriv No authentication or privacy are required.
authNoPriv Authentication is required, but privacy is not required.
authPriv Both authentication and privacy are required.
Default: No Authentication
Address-Port The IP address of the management station and TCP port to be used as the
target of SNMP traps. The format of the values is <IP address >-<TCP port>,
where <TCP port> must be 162. For example, if the value for Address-Port is
1.2.3.4-162, 1.2.3.4 is the IP address of the management station and 162 is
the port number for SNMP traps.
Tag List Specifies sets of target addresses. Tags are separated by spaces. The tags
contained in the list may be tags from the Notify table or Transport tags from
the Community table.
Each tag can appear in more than one tag list. When a significant event
occurs on the network appliance, the tag list identifies the targets to which a
notification is sent.
Parameters The set of target parameters to be used when sending SNMP Traps. Target
parameters are defined in the Target Parameters table.
Traps Security Specifies whether the appliance sends security-event traps to the target
Sending address. Security events include all events related to attack detection and
mitigation: start, ongoing, occurred, sampled, and terminated.
Default: Enabled
Traps Health Specifies whether the appliance sends appliance-health event traps to the
Sending target address. Device-health events include all events related to appliance
health, for example, temperature, fan failure, CPU, tables, resources, and so
on.
Default: Enabled
Parameter Description
Traps User Audit Specifies whether the appliance sends audit-event traps to the target
Sending address. Audit events include all events related to user operations, for
example, login attempts and configuration changes.
Default: Enabled
Users
You can configure a list of users who are authorized to access that appliance through any enabled
access method (Web, Telnet, SSH, SWBM). When configuration tracing is enabled, users can
receive e-mail notifications of changes made to the appliance.
Authentication
Method
Values:
Local User Table The appliance uses the User Table to authenticate
access.
Radius and Local User Table The appliance uses the RADIUS servers
to authenticate access. If the request to the RADIUS server times out,
the appliance uses the User Table to authenticate access.
7.32 Default: Local User Table
Email Address The e-mail address of the user to which notifications will be sent.
SSH public key name The name of the SSH public key.
Certificates
Certificates Table
Use the Certificates Table pane to manage keys and certificates.
Create and Delete functionality is available only when you are connected with a secure protocol,
such as HTTPS.
To update an entry:
1. Select Security > Certificates > Table.
2. Click the entry name.
3. To create a new certificate, click Create.
4. Configure the parameters, and click Set.
To create an entry:
1. Select Security > Certificates > Table.
2. Click Create.
3. Configure the parameters, and click Set.
Parameter Description
Key Passphrase The key password (the same that you use to export the key from the
web server).
Parameter Description
Certificate Expiry (Read-only) The date of expiry in DDD MMM dd hh:mm:ss yyyy format.
Example: SAT SEP 01 08:29:40 2012
Certificate Validity The number of days for which the certificate is valid.
To delete an entry:
1. Select Security > Certificates > Table.
2. Select the checkbox in the row with the entry.
3. Click Delete.
Type Values:
Key
Certificate
Certificate and Key
Format (Read-only) The format for the specified Type.
Passphrase The password (the same that you use to export the key from the Web server).
to import includes a header or footer, you must remove it before importing it. Common external
applications such as openssl or ssh-keygen may include a header and footer when they generate a
certificate. A certificate that DDoS Protector generates does not include a header or footer.
Type Values:
Key
Certificate
Certificate and Key
Intermediate CA Certificate
Certificate of Client CA
SSH Public Key
Format (Read-only) The format for the specified Type.
Passphrase The password (the same that you use to export the key from the Web Server).
Parameter Description
Classes
In This Section:
Modify ..........................................................................................................................222
View Active ..................................................................................................................232
Activate Latest Changes .............................................................................................233
Modify
Modify Networks
You can view active networks, as well as configure new ones. You can define networks that are
used by the appliance (active) and you can define networks that are kept in a separate database
until they are required (inactive).
You can add, modify and delete these networks according to your requirements.
A network class is identified by a name and defined by a network address and mask, or by a range
of IP addresses (from-to). For example, network net1 can be 10.0.0.0/255.0.0.0 and network net2
can be from 10.1.1.1 to 10.1.1.7; alternatively, network net1 can be 1234::0/32 and network net2
can be from 1234::0 to 1234:FFFF:FFFF:FFFF. The Network list allows either configuration.
Using classes enables you to define a network comprised of multiple subnets and/or IP ranges, all
identified with the same class name. For example, network net1 can be 10.0.0.0/255.255.255.0 and
10.1.1.1 to 10.1.1.7.
You can use network classes in the following:
Black lists
White lists
Network-protection policies to match source or destination traffic
Sub Index When you define multiple network classes with the same name,
you must assign each instance a different sub-index number.
The numbers do not need to be sequential or in order.
Parameter Description
Mask The mask of the subnet, which you can enter in either of the
following ways:
(For an IP Mask entry only)
A subnet mask in dotted decimal notation for example,
255.0.0.0 or 255.255.0.0.
An IP prefix, that is, the number of mask bits for example,
8 or 16
From IP The first IP address in the range.
(For an IP Range entry only)
Modify Services
Basic Filters
Use Services to filter traffic. Services classify traffic based on criteria for Layers 3 7. A Service is
a configuration of a basic filter, which may combine with logical operators to achieve more
sophisticated filters (AND Group filters and OR Group filters). DDoS Protector supports a long list
of predefined basic filters. A basic filter includes attributes that specify parameters such as
protocol, application port, and content type. When the protocol of a basic filter is TCP or UDP, the
filter can include a text string.
A basic filter includes the following components:
Protocol The specific protocol that the packet should carry. The choices are IP, TCP, UDP,
ICMP, ICMPV6, and SCTP. If the specified protocol is IP, all IP packets (including TCP and UDP)
will be considered.
When configuring TCP or UDP, the following additional parameters are available:
Destination Port (From-To) Destination port number for that protocol. For example, for
HTTP, the protocol would be configured as TCP and the destination port as 80. The port
configuration can also allow for a range of ports to be configured.
Source Port (From-To) Similar to the destination port, the source port that a packet
should carry in order to match the filter can be configured.
Offset Mask Pattern Condition (OMPC) The OMPC is a means by which any bit pattern can
be located for a match at any offset in the packet. This can aid in locating specific bits in the IP
header, for example. TOS and DiffServ bits are perfect examples of where OMPCs can be
useful. It is not mandatory to configure an OMPC per filter. However, if an OMPC is configured,
DDoS Protector User Guide 6.14 | 223
Classes
there should be an OMPC match in addition to a protocol (and source/destination port) match.
In other words, if an OMPC is configured, the packet needs to match the configured protocol
(and ports) and the OMPC.
Content Specifications When the protocol of a basic filter is TCP or UDP, you can search for
any text string in the packet. Like OMPCs, a text pattern can be searched for at any offset in the
packet. HTTP URLs are perfect examples of how a text search can help in classifying a session.
You can choose from the many types of configurable content for example, URL, hostname,
HTTP header field, cookie, mail domain, mail subject, file type, regular expression, text, and so
on.
When the content type is URL, for example, the module assumes the session to be HTTP with a
GET, HEAD, or POST method. The module searches the URL following the GET/HEAD/POST to
find a match for the configured text. In this case, the configured offset is meaningless, since
the GET/HEAD/POST is in a fixed location in the HTTP header. If the content type is text, the
module searches the entire packet for the content text, starting at the configured offset.
By allowing a filter to take actual content of a packet/session into account, the module can
recognize and classify a wider array of packets and sessions.
Like OMPCs, Content Rules are not mandatory to configure. However, when a Content Rule
exists in the filter, the packet needs to match the configured protocol (and ports), the OMPC (if
one exists) and the Content Rule.
Note: If you edit the parameters of the filter, which is bound to the existing policy, you need to
activate the latest changes.
Protocol Values:
IP
TCP
UDP
ICMP
NonIP
ICMPV6
SCTP
Default: IP
Note: Do not choose the NonIp option. It produces unexpected results.
Parameter Description
Source App. Port The Layer-4 source port or source-port range for TCP, UDP, or SCTP
traffic.
Values: A value in the range 0 65,535; value ranges (for example, 30
400) greater than the Source Port Range From value; dcerpc, dns,
ftp, h225, http, https, imap, irc, ldap, ms-sql-m, ms-sql-s, msn,
my-sql, oracle, ntp, pop3, priviledged-services, radius, rexec, rshell,
rtsp, sccp (skinny), sip, smb, smtp, snmp, ssh, ssl, sunrpc, telnet, tftp
Destination App. Port The Layer-4 destination port or destination-port range for TCP, UDP,
or SCTP traffic.
Values: values in the range 0 65,535; value ranges (for example, 30
400) greater than the Destination Port Range From value; dcerpc, dns,
ftp, h225, http, https, imap, irc, ldap, ms-sql-m, ms-sql-s, msn,
my-sql, oracle, ntp, pop3, priviledged-services, radius, rexec, rshell,
rtsp, sccp (skinny), sip, smb, smtp, snmp, ssh, ssl, sunrpc, telnet, tftp
OMPC Offset The location in the packet where the data starts being checked for
specific bits in the IP or TCP header.
Values: 0 1513
Default: 0
OMPC Offset Relative To Specifies to which OMPC offset the selected offset is relative.
Values:
None
IPv4 Header
IPv6 Header
IP Data
L4 Data
ASN1
Ethernet
L4 Header
Default: None
OMPC Mask The mask for OMPC data. The value must be defined according to the
OMPC Length parameter.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
Parameter Description
OMPC Pattern The fixed-size pattern within the packet that the OMPC rule attempts
to find. The value must be defined according to the OMPC Length
parameter. The OMPC Pattern must contain eight hexadecimal
symbols. If the value for the OMPC Length parameter is smaller than
Four Bytes, you need to pad the OMPC Pattern with zeros. For
example, if OMPC Length is two bytes, the OMPC Pattern can be
abcd0000.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
Content Offset The location in the packet at which the checking of content starts.
Values: 0 1513
Default: 0
Distance A range that defines the allowed distance between two content
characters. If the distance is beyond the specified range, it is
recognized as an attack.
Parameter Description
Parameter Description
Content End Offset The location in the packet at which the checking of content ends.
Values: 0 1513
Default: 0
Content Data Refers to the search for the content within the packet.
Content Coding The encoding type of the content to search for (as specified in the
Content field).
Values:
None
Case Insensitive
Case Sensitive
HEX
International
Default: None
The value of this field corresponds to the Content Type parameter.
Content Data Coding The encoding type of the content data to search for (as specified in the
Content Data field).
Values:
None
Case Insensitive
Case Sensitive
HEX
International
Default: None
The value of this field corresponds to the Content Type parameter.
Session Type Direction The specific direction of the specified session type to search for.
Values: All, Request, Reply
Default: None
AND Groups
An AND Group filter is a combination of basic filters with a logical AND between them.
The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as:
AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three
filters (F1, F2, and F3).
You cannot modify or delete predefined AND Groups.
In case you edit the parameters of the AND group, which is bound to the existing policy, you need
to activate the latest changes.
Basic Filter Name The basic filter for this AND Group.
OR Groups
An OR Group Filter is a combination of basic filters and/or AND filters with a logical OR between
them. DDoS Protector supports a set of predefined, static OR Groups. The predefined OR Groups
are based on the predefined basic filters.
The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as:
AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three
filters (F1, F2, and F3). Filter FG1 is user-defined as: FG1 = {AF1 OR F4 OR F6}. In order for a
packet to match FG1, the packet must match either filter AF1, basic filter F4, or basic filter F6.
You cannot modify or delete predefined OR Groups.
In case you edit the parameters of the OR group, which is bound to the existing policy, you need to
activate the latest changes.
Parameter Description
Filter Name The filter for this OR Group, which can be a Basic filter or an AND Group.
To Port The last port in the range. To define a group with a single port, set the same
value for the From Port and To Port fields.
Inbound Port The inbound port associated with the Port Group.
View Active
View Active Networks
You can view the active network classes that are configured on the appliance.
Performance
In This Section:
Element Statistics.......................................................................................................234
Element Statistics
IP Packet Statistics
To show the IP packet statistics:
Select Performance > Element Statistics > IP.
Parameter Description
IP Receivers The total number of input datagrams received from interfaces, including those
received in error.
IP Header The number of input datagrams discarded due to header error due to errors in
Errors their IP headers, including bad checksums, version number mismatch, their
format errors, time-to-live exceeded, errors discovered in processing their
options, and so on.
IP Discarded The total number of input datagrams discarded. Note: This counter does not
include any datagrams discarded while awaiting re-assembly.
IP Out Requests The total number of IP datagrams, which local IP user-protocols (including
ICMP) supplied to IP in requests for transmission.
IP Out Discards The total number of IP datagrams, which local IP user-protocols (including
ICMP) supplied to IP in requests for transmission.
SNMP
To show the SNMP element statistics:
Select Performance > Element Statistics > SNMP.
Parameter Description
SNMP Received Packets The total number of messages delivered to the SNMP entity from
the transport service.
Parameter Description
SNMP Sent Packets The total number of SNMP messages that were passed from the
SNMP protocol entity to the transport service.
SNMP successful 'Get' The total number of MIB objects that have been retrieved
requests successfully by the SNMP protocol entity as the result of receiving
valid SNMP Get-Request and Get-Next PDUs.
SNMP successful 'Set' The total number of MIB objects that have been altered
requests successfully by the SNMP protocol entity as the result of receiving
valid SNMP Set-Request PDUs.
SNMP 'get' requests The total number of SNMP Get-Request PDUs processed PDUs that
have been accepted and processed by the SNMP protocol entity.
SNMP 'get-next' requests The total number of SNMP Get-Request PDUs that have been
accepted and processed by the SNMP protocol entity.
SNMP 'set' requests The total number of SNMP Set-Request PDUs that have been
accepted and processed by the SNMP protocol entity.
SNMP Out TooBig The total number of SNMP PDUs that were generated by the SNMP
protocol entity and for which the value of the error-status field is
tooBig.
SNMP Out NoSuchName The total number of SNMP PDUs that were generated by the SNMP
protocol entity and for which the value of the error-status is
noSuchName.
SNMP Out BadValue The total number of SNMP PDUs that were generated by the SNMP
protocol entity and for which the value of the error-status field is
badValue.
SNMP Out GenErrs The total number of SNMP PDUs that were generated by the SNMP
protocol entity and for which the value of the error-status field is
genErr.
SNMP Out Get-Responses The total number of SNMP Get-Response PDUs that have been
generated by the SNMP protocol entity.
SNMP Out Traps The total number of SNMP Trap PDUs that have been generated by
the SNMP protocol entity.
IP Router
To show the IP router element statistics:
Select Performance > Element Statistics > IP Router.
Parameters Description
IP Forwarded The number of input datagrams for which this entity was not
their final IP destination, as a result of which an attempt was
made to find a route to forward them to that final destination. In
entities, which do not act as IP Gateways, this counter will
include only those packets that were Source-Routed via this
entity, and the Source-Route option processing was successful.
IP datagram fragments The number of IP datagram fragments that have been generated
generated as a result of fragmentation at this entity.
Parameters Description
Accelerator Utilization
Use the Accelerator Utilization pane to show statistics for each accelerator.
Parameter Description
Other The percentage of CPU resources used for other tasks, such as aging and so
on.