About Flood Attacks

Flood attacks are also known as Denial of Service (DoS) attacks. In a flood attack, attackers send a very high volume of traffic to a system so that it cannot examine and allow permitted network traffic. For example, an ICMP flood attack occurs when a system receives too many ICMP ping commands and must use all its resources to send reply commands.

The Firebox can protect against these types of flood attacks:

  • IPSec
  • IKE
  • ICMP
  • SYN
  • UDP

The default configuration of the Firebox is to block flood attacks.

About Flood Attack Thresholds

To prevent flood attacks, in the Default Packet Handling page, you can specify thresholds for the allowed number of packets per second for different types of traffic. When the number of packets received on an interface exceeds the specified threshold, the device starts to drop traffic of that type on the interface.

  • Default Threat Protection thresholds are based on the physical interface, even if you configure multiple virtual interfaces for the physical interface. For example, if you set the UDP flooding threshold to 5000 packets/sec, that threshold only applies to the physical interface.
  • Link aggregation group (bond) interface thresholds are treated as a single physical interface. The UDP flooding limit is shared by all interfaces in the group.
  • Bridge interface thresholds are treated as a single physical interface.

For example, if you set the Drop UDP Flood Attack threshold to 1000, the device starts to drop UDP packets from an interface that receives more than 1000 UDP packets per second. The device does not drop other types of traffic or traffic received on other interfaces.

The Firebox generates up to three log messages a minute when the rate of packets received on an interface is above a specified threshold.

The Firebox does not drop every packet received over the specified threshold immediately. This table shows whether the device drops a packet, based on the rate of packets of that type received on an interface:

Rate of packets received Packets dropped
Below the threshold
No packets
Between the threshold and twice the threshold 25% of packets of that type
More than twice the threshold All packets of that type

When the rate of packets received on the interface falls back below the threshold, the device no longer drops packets of that type.

For example, you set the Drop UDP Flood Attack threshold to 1800 packets per second. When a device interface receives 2000 UDP packets a second, the device drops approximately 500 UDP packets (25% of 2000 = 500). When the device interface receives over 3600 UDP packets per second, the device drops all UDP packets from the interface.

The exact number of packets dropped might fluctuate when an interface first receives traffic and when traffic increases and decreases.

Blocked Sites Exceptions bypass all Default Packet Handling checks, except spoofing and IP source route attacks. The device does not drop traffic that comes from a site on the Blocked Site Exceptions list, even when the traffic exceeds a specified flood attack threshold. In Fireware v12.5.6/12.6.3 or higher, traffic that flood attack protection would normally block does appear in the traffic logs as a flood attack from an exception site.

Configure Flood Attack Thresholds

You can enable or disable protection for different types of flood attacks, and configure the thresholds for allowed number of packets per second.

We recommend that you change the default values of each flood attack threshold based on the expected amount of network traffic of that type. For example, if your configuration includes a Branch Office VPN or Mobile VPN, you might need to increase the IPSec and IKE flood attack thresholds to account for VPN traffic.

See Also

About Default Packet Handling Options