Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 17445 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DOS - TCP Flood settings

M8ey

Hey guys,

 

I am having a Friday afternoon brain fart.

I am trying to configure the DOS TCP Flood settings in XG. Only using the Source side (destination not enabled)

 

If I leave them as standard and enable I get massive TCP Flood Trigger (set to 12000 / 100) and when checking the Firewall logs the traffic is blocked due to DOS Attack. Many of the IPs belong to Microsoft Azure and Office 365

I have allowed DNS 53 and 443 (UDP) in a DOS Bypass.

As we have about 250 Users accessing O365 from the LAN is the TCP Flood triggering due to the amount of traffic? Would I need to increase both Packet Rate Per Source and also Burst Rate per Source?

Seems as soon as I enable the TCP settings many blocks begin.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    First of all, this is a duplicate question and I already replied.

    https://community.sophos.com/products/xg-firewall/f/intrusion-prevention/102080/ips-sophos-xg-dos-protection/374782#374782

     

    ---------------------

     

    Here is an example PPS calculation for an application that uses TCP port XXXXX for communication using
    default settings for communication accross the network. It averages 5 KB per transaction and the
    average user transacts with the application 10 times per second.


     It is a TCP application so the policy should be for SYN-Flood
     Default MTU is 1,500, MSS is 1,460
     5 KB max transaction size x 1,024 = 5,120 bytes
     5,120 / 1,460 = 3.5 packets per transaction
     You cannot have partial packets, round up to 4
     4 x max. 10 transactions per second = 40 packets per second


    This would then be multiplies by the average number of concurrent sessions (users) accessing the
    application.


    Accurately identifying transactions per second and how much data per transaction is difficult and
    requires indepth knowledge of the protocols and services. An alternative method of estimating the PPS
    is to divide the maximum data of a client per second by the MSS. If you do this with the values in this
    scenario you end up with 35 PPS because it does not account for partial packets.


    With this in mind, although it is an easier method you would need to pad the PPS result


     Max. 10 transactions per second x max. 5 KB per transaction = 50 KB
     50 KB x 1024 = 51,200 bytes
     51,200 / 1,460 = 35 PPS

     

    I hope it will helpful for you.

  • 0 in reply to Deepak Verma

    Hi Deepak,

     

    Thanks for the response.

     

    I am sure its a TCP Application but its not SYN-Flood being triggered. All Office 365 Traffic which is not UDP.

    Using the calculation supplied it would require me to allow 600,000 packets per minute in the XG?

     

    40 Packets per second x 250 users = 10,000 x 60 sec = 600,000 (The XG is in packets per minute)

    Does this look right?

     

     

    Edit: Just to add - I set my TCP Flood to 600,000 and my rate per second to 500 and I am still getting packets dropped from the O365 / Azure IP ranges.

    Something not right. SYN flood is not triggering - only TCP Flood.

     

Reply
  • 0 in reply to Deepak Verma

    Hi Deepak,

     

    Thanks for the response.

     

    I am sure its a TCP Application but its not SYN-Flood being triggered. All Office 365 Traffic which is not UDP.

    Using the calculation supplied it would require me to allow 600,000 packets per minute in the XG?

     

    40 Packets per second x 250 users = 10,000 x 60 sec = 600,000 (The XG is in packets per minute)

    Does this look right?

     

     

    Edit: Just to add - I set my TCP Flood to 600,000 and my rate per second to 500 and I am still getting packets dropped from the O365 / Azure IP ranges.

    Something not right. SYN flood is not triggering - only TCP Flood.

     

Children