About Distributed Denial-of-Service Attacks

Distributed Denial of Service (DDoS) attacks are very similar to flood attacks. In a DDoS attack, many different clients and servers send connections to one computer system to try to flood the system. When a DDoS attack occurs, legitimate users cannot use the targeted system.

The default configuration of the XTM device is to block DDoS attacks. From Fireware XTM Web UI, you can change the settings for this feature, and change the maximum allowed number of connections per second.

  1. Select Firewall > Default Packet Handling.
    The Default Packet Handling page appears.

Screen shot of the Default Packet Handling page

  1. Select or clear the Per Server Quota and Per Client Quota check boxes.
  2. Set the Per Server Quota and the Per Client Quotalimits.

Per Server Quota

The Per Server Quota applies a limit to the number of connections per second from any external source to the XTM device external interface. This includes connections to internal servers allowed by a static NAT policy. The Per Server Quota is based on the number of connection requests to any one destination IP address, regardless of the source IP address. After the threshold is reached, the XTM device drops incoming connection requests from any host.

For example, when the Per Server Quota is set to the default value of 100, the XTM device drops the 101st connection request received in a one second time frame from any external IP address. The source IP address is not added to the blocked sites list.

Per Client Quota

The Per Client Quota applies a limit to the number of outbound connections per second from any source protected by the XTM device to any destination. The Per Client Quota is based on the number of connection requests from any one source IP address, regardless of the destination IP address.

For example, when the Per Client Quota is set to the default value of 100, the XTM device drops the 101st connection request received in a one second time frame from an IP address on the trusted or optional network to any destination IP address.

See Also

About Default Packet Handling Options

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base