Contents

Related Topics

About Flood Attacks

In a flood attack, attackers send a very high volume of traffic to a system so it cannot examine and allow permitted network traffic. For example, an ICMP flood attack occurs when a system receives too many ICMP ping commands and must use all of its resources to send reply commands. The Firebox can protect against these types of flood attacks:

  • IPSec
  • IKE
  • ICMP
  • SYN
  • UDP

Flood attacks are also known as Denial of Service (DoS) attacks. The default configuration of the Firebox is to block flood attacks.

You can change the settings for this feature, or change the maximum allowed number of packets per second.

To protect against flood attacks, from Fireware Web UI:

  1. Select Firewall > Default Packet Handling.
    The Default Packet Handling page appears.

Screen shot of the Default Packet Handling page

  1. Select or clear the Flood Attack check boxes.
  2. Type the maximum allowed number of packets per second for a Firebox interface.
    For example, if the setting is 1000, the Firebox drops traffic if it receives more than 1000 packets per second on an interface.
  3. Click Save.

To protect against flood attacks, from Policy Manager:

  1. Click .
    Or, select Setup > Default Threat Protection > Default Packet Handling.
    The Default Packet Handling dialog box appears.

Screen shot of the Default Packet Handling dialog box

  1. Select or clear the Flood Attack check boxes.
  2. Click the arrows to select the maximum allowed number of packets per second for a Firebox interface.
    For example, if the setting is 1000, the Firebox drops traffic if it receives more than 1000 packets per second on an interface.
  3. Click OK.

About the SYN Flood Attack Setting

For SYN flood attacks, you can set the threshold at which the Firebox reports a possible SYN flood attack, but no packets are dropped if only the number of packets you selected are received. At twice the selected threshold, all SYN packets are dropped. At any level between the selected threshold and twice that level, if the src_IP, dst_IP, and total_length values of a packet are the same as the previous packet received, then it is always dropped. Otherwise, 25% of the new packets received are dropped.

For example, you set the SYN flood attack threshold to 18 packets/sec. When the Firebox receives 18 packets/sec, it reports a possible SYN flood attack to you, but does not drop any packets. If the device receives 20 packets per second, it drops 25% of the received packets (5 packets). If the device receives 36 or more packets, the last 18 or more are dropped.

See Also

About Default Packet Handling Options

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.