About Distributed Denial-of-Service Attacks

Distributed Denial of Service (DDoS) attacks are very similar to flood attacks. In a DDoS attack, many different clients and servers send connections to one computer system to try to flood the system. When a DDoS attack occurs, legitimate users cannot use the targeted system.

The default configuration of the Firebox is to drop DDoS attacks. You can change the settings for this feature, and change the maximum allowed number of connections per second.

You can set these options:

Per Server Quota

The Per Server Quota applies a limit to the number of connections per second from any external source to the Firebox external interface. This includes connections to internal servers allowed by a static NAT policy. The Per Server Quota is based on the number of connection requests to any one destination IP address, regardless of the source IP address. After the threshold is reached, the Firebox drops incoming connection requests from any host.

For example, when the Per Server Quota is set to the default value of 100, the Firebox drops the 101st connection request received in a one second time frame from any external IP address. The source IP address is not added to the blocked sites list.

Per Client Quota

The Per Client Quota applies a limit to the number of outbound connections per second from any source protected by the Firebox to any destination. The Per Client Quota is based on the number of connection requests from any one source IP address, regardless of the destination IP address.

For example, when the Per Client Quota is set to the default value of 100, the Firebox drops the 101st connection request received in a one second time frame from an IP address on the trusted or optional network to any destination IP address. The source IP address is not added to the blocked sites list.

To drop DDos attacks, from Fireware Web UI:

  1. Select Firewall > Default Packet Handling.
    The Default Packet Handling page opens.

Screen shot of the Default Packet Handling page

  1. Select or clear the Per Server Quota and Per Client Quota check boxes.
  2. Set the Per Server Quota and the Per Client Quota limits.

To drop DDos attacks, from Policy Manager:

  1. Click .
    Or, select Setup > Default Threat Protection > Default Packet Handling.
    The Default Packet Handling dialog box opens.

Screen shot of the Default Packet Handling dialog box

  1. Select or clear the Per Server Quota and Per Client Quota check boxes.
  2. Set the Per Server Quota and the Per Client Quota limits.

Related Topics

About Default Packet Handling Options