About Default Packet Handling on Cloud-Managed Fireboxes

Overview

When your Firebox receives a packet, it examines the source and destination for the packet. It looks at the IP address and the port number. The device also monitors the packets to look for patterns that can show your network is at risk. This process is called default packet handling.

Default packet handling can:

Reject packets that could be a security risk, such as packets that could be part of a spoofing attack or SYN flood attack.
Block all traffic to and from dangerous IP addresses.
Throttle Distributed Denial-of-Service (DDoS) attacks.
Block or drop traffic for dangerous activities:
- Drop — For most types of attack, the Firebox drops the connection but does not add the site to the Blocked Sites list.
- Block — For Port Scans and IP Scans, the Firebox drops the connection and adds the source IP address to the Blocked Sites list. For more information about sites that the Firebox automatically adds to the Blocked Sites list, go to Temporary Blocked Sites.

Default packet handling takes precedence over the policy rules and other services you configure on your cloud-managed Firebox. For information about how to configure default packet handling, go to Configure Default Packet Handling on a Cloud-Managed Firebox.

About Spoofing Attacks

One method that attackers use to enter your network is to make an electronic false identity. This is an IP spoofing method that attackers use to send a TCP/IP packet with a different IP address than the computer that first sent it. By default, the Firebox verifies that the source IP of a packet is from a network on the specified interface and drops spoofing attacks.

In Fireware v12.9 or higher, when a Firebox interface receives an incoming connection initiated by a remote Firebox, the Firebox evaluates the traffic on the interface for potential IP spoofing. To determine if an incoming connection is spoofed, the Firebox initiates a reverse route lookup.

For internal interfaces and BOVPNs:

The Firebox looks up the route with the source IP address.
If a route exists for that interface, the route lookup succeeds, which means IP spoofing verification passes and the Firebox allows the connection.
If no route is associated with the interface, the route lookup fails. This means the IP spoofing verification fails, and the Firebox denies the incoming connection.

For external interfaces:

The Firebox looks up the route without a source IP address.
If the route lookup determines the route is on the same interface, IP spoofing verification passes, and the Firebox allows the traffic.
If the route lookup determines the output interface is different than the incoming interface, but the route is a default route, IP spoofing verification passes, and the Firebox allows the traffic.
In this case, the source IP of the traffic can be reached through multiple paths, but the traffic still travels back through the same interface. If the route lookup determines the route is on a different interface, and the route is not a default route, IP spoofing verification fails, and the Firebox denies the incoming connection.

In Fireware v12.9 and higher, the Firebox drops traffic sourced from a second external interface as a spoofing attack. In multi-WAN environments, inbound connections from IP addresses in the subnet range of one external interface are dropped as IP spoofing if received on any other external interface. Review your routing and the subnet masks assigned to external interfaces. Note that these spoofing checks also apply to BOVPNs. If you do not have virtual IP addresses configured for a BOVPN, the traffic appears to come from the public IP of the remote endpoint. For more information, go to the WatchGuard Knowledge Base.

In Fireware v12.8.x or lower, IP spoofing verification works differently and does not apply to BOVPNs. For information about how the Drop Spoofing Attacks setting can affect SD-WAN actions, go to SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel in Fireware Help.

About IP Source Route Attacks

To find the route that packets take through your network, attackers use IP source route attacks. The attacker sends an IP packet and uses the response from your network to get information about the operating system of the target computer or network device. By default, the Firebox drops IP source route attacks.

About Port and IP Address Scans

Attackers frequently look for open ports as starting points to launch network attacks. A port scan is TCP or UDP traffic that is sent to a range of ports (0 to 65535) in sequential or random order. An IP scan is TCP or UDP traffic that is sent to a range of network addresses. Port scans examine a computer to find the services that it uses. IP address scans examine a network to see which network devices are on that network.

Network Scan Identification

An IP address scan is identified when a computer sends a specified number of packets to different IP addresses assigned to a Firebox interface. To identify a port scan, your Firebox counts the number of packets sent from one IP address to any Firebox interface IP address. The addresses can include the primary IP addresses and any secondary IP addresses configured on the interface. If the number of packets sent to different IP addresses or destination ports in one second is higher than the number you select, the source IP address is added to the Blocked Sites list.

When the Block Port Scan, Block IP Scan or Auto-Block Source IP of Unhandled External Packets check boxes are selected, the Firebox examines all inbound traffic. You cannot disable these features for specified IP addresses, specified Firebox interfaces, or different time periods.

Network Scan Prevention

By default, the Firebox blocks network scans. You can change the maximum allowed number of address or port scans per second for each source IP address. For both the Block Port Scan and Block IP Scan settings, the default value is 10.

To block attackers more quickly, you can set the threshold for the maximum allowed number of address or port scans per second to a lower value. However, if you set the number too low, the Firebox might identify legitimate network traffic as an attack and deny the traffic. You are less likely to block legitimate network traffic if you use a higher number, but the Firebox must send TCP reset packets for each connection it drops. This uses bandwidth and resources on the Firebox and provides the attacker with information about your firewall.

About Flood Attacks

A flood attack is a type of Denial of Service (DoS) attack. In a flood attack, attackers send a very high volume of traffic to a system so that it cannot examine and allow permitted network traffic. For example, an ICMP flood attack occurs when a system receives too many ICMP ping commands and must use all its resources to send reply commands.

The Firebox can protect against these types of flood attacks:

IPSec
IKE
ICMP
SYN
UDP

By default, the Firebox blocks flood attacks.

You can specify thresholds for the allowed number of packets per second for different types of traffic. When the number of packets received on an interface exceeds the specified threshold, the device starts to drop traffic of that type on the interface.

The thresholds are based on the physical interface, even if you configure multiple virtual interfaces for the physical interface. For example, if you set the UDP flooding threshold to 5000 packets per second, that threshold applies only to the physical interface.
Link aggregation group (bond) interface thresholds are treated as a single physical interface. The UDP flooding limit is shared by all interfaces in the group.
Bridge interface thresholds are treated as a single physical interface.

For example, if you set the Drop UDP Flood Attacks threshold to 1000, the device starts to drop UDP packets from an interface that receives more than 1000 UDP packets per second. The device does not drop other types of traffic or traffic received on other interfaces.

The Firebox generates up to three log messages a minute when the rate of packets received on an interface is above a specified threshold.

The Firebox does not drop every packet received over the specified threshold immediately. This table shows whether the device drops a packet, based on the rate of packets of that type received on an interface:

Rate of Packets Received	Packets Dropped
Below the threshold	No packets
Between the threshold and twice the threshold	25% of packets of that type
More than twice the threshold	All packets of that type

When the rate of packets received on the interface falls back below the threshold, the device no longer drops packets of that type.

For example, you set the Drop UDP Flood Attack threshold to 1800 packets per second. When a device interface receives 2000 UDP packets a second, the device drops approximately 500 UDP packets (25% of 2000 = 500). When the device interface receives over 3600 UDP packets per second, the device drops all UDP packets from the interface.

The exact number of packets dropped might fluctuate when an interface first receives traffic and when traffic increases and decreases.

Blocked Sites Exceptions bypass all default packet handling settings, except spoofing and IP source route attacks. The Firebox does not drop traffic that comes from a site on the Blocked Site Exceptions list, even when the traffic exceeds a specified flood attack threshold. In Fireware v12.5.6/12.6.3 or higher, traffic that flood attack protection would normally block does appear in the traffic logs as a flood attack from an exception site.

About Distributed Denial-of-Service (DDoS) Attacks

Distributed Denial-of-Service (DDoS) attacks are similar to flood attacks. In a DDoS attack, many different clients and servers send connections to one computer system to try to flood the system. When a DDoS attack occurs, legitimate users cannot use the targeted system.

By default, the Firebox drops DDoS attacks. You can configure the maximum allowed number of connections per second for these settings:

Per Server Quota

The Per Server Quota applies a limit to the number of connections per second from any external source to the Firebox external interface. This includes connections to internal servers allowed by a static NAT policy. The Per Server Quota is based on the number of connection requests to any one destination IP address, regardless of the source IP address. After the threshold is reached, the Firebox drops incoming connection requests from any host.

For example, when the Per Server Quota is set to the default value of 100, the Firebox drops the 101st connection request received in a one second time frame from any external IP address. The source IP address is not added to the Blocked Sites list.

Per Client Quota

The Per Client Quota applies a limit to the number of outbound connections per second from any source protected by the Firebox to any destination. The Per Client Quota is based on the number of connection requests from any one source IP address, regardless of the destination IP address.

For example, when the Per Client Quota is set to the default value of 100, the Firebox drops the 101st connection request received in a one second time frame from an IP address on an internal network to any destination IP address. The source IP address is not added to the Blocked Sites list.

About Unhandled Packets

An unhandled packet is a packet that does not match any configured firewall policy. The Firebox denies all unhandled packets and generates a log message.

This is an example of a log message for a denied unhandled packet:

2022-09-29 09:41:30 Deny 192.0.2.99 203.0.113.250 9007/tcp 31069 9007 External1 Firebox Denied 52 51 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 8 S 2192251295 win 65535"

If appropriate for your network configuration, you can enable these unhandled packet settings:

Automatically Block Source IP of Unhandled External Packets

The Firebox does not automatically block the source of unhandled packets by default, but you can configure the Firebox to automatically block the source IP address of unhandled packets received on an external interface. The Firebox adds the IP address that sent the packet as a temporary blocked site. For more information about temporary blocked sites, go to About Blocked Sites on Cloud-Managed Fireboxes.

Use caution with the Automatically Block Source IP of Unhandled External Packets setting. When this setting is enabled, the Firebox blocks all traffic from a remote host if a packet, such as a ping request, does not match a Firebox policy.

Send error message to Source IP of Unhandled Packets

You can also configure the Firebox to send a TCP reset or ICMP error back to the source IP when the Firebox receives an unhandled packet. This setting does not apply to broadcast traffic that is dropped as unhandled.