Sophos XG as DDoS amplification server

nake sure have all access via the wan interface disabled.

ian

Thanks, rfcat_vk, that's good general advice for securing the device from unauthorized remote access. However, in this case the concern isn't a remote access vulnerability, but rather the behaviour of the Sophos XG device when it receives certain packet types. 

I'm aware that the Sophos XG has some DDoS mitigation settings, but my understanding was that they are there to protect the Sophos XG and the LAN from an inbound DDoS attack. Can they also be configured to reduce the risk of the Sophos XG device from being used to amplify an attack as described int he article above?

Hi,

one of the links you supplied its dead. If you have logging for failed connections enabled and your end devices are subject to an attack then you will fill the log very quickly and possibly fail the XG otherwise the missing packets from a connection are ignored and the connection is not passed through to the internal device.

I don't know specifically but would suspect the firewall would not be susceptible to an attack of this nature because it has a hardened network stack.

Ian

It sounds like the attack is more than a SYN flood (which Sophos has controls for), but it also sounds specifically targeted at "middle boxes" which are specifically TCP non-compliant because of the job they do. As far as I can tell, they're not normal firewalls, so it sounds like Sophos would probably not have a problem.

P.S. I would not recommend using any DoS settings: a real attack is likely to be a DDoS attack and DoS can't stop that, since it's distributed. And it's very hard to adjust the DoS settings in such a way that they're meaningful but at the same time don't kill your legitimate traffic. (And the DoS protection doesn't do a lot for the firewall itself, it's meant to preserve servers behind the firewall. So in a home setting it seems more likely to cause problems than fix them.

(I do check "Drop Source Routed Packets" and "Drop ICMP Redirect Packets", both of which don't seem to have a normal use.

It sounds like the attack is more than a SYN flood (which Sophos has controls for), but it also sounds specifically targeted at "middle boxes" which are specifically TCP non-compliant because of the job they do. As far as I can tell, they're not normal firewalls, so it sounds like Sophos would probably not have a problem.

P.S. I would not recommend using any DoS settings: a real attack is likely to be a DDoS attack and DoS can't stop that, since it's distributed. And it's very hard to adjust the DoS settings in such a way that they're meaningful but at the same time don't kill your legitimate traffic. (And the DoS protection doesn't do a lot for the firewall itself, it's meant to preserve servers behind the firewall. So in a home setting it seems more likely to cause problems than fix them.

(I do check "Drop Source Routed Packets" and "Drop ICMP Redirect Packets", both of which don't seem to have a normal use.

I've marked this as the answer because of the great suggestions on Dropping Source Routed Packets and Drop ICMP Redirect Packets. It looks like most other firewalls in this class have this setting enabled by default.

The research article specifically refers to "Firewalls", so I'm not certain about how they differentiate between "Firewall" and "Middlebox". Unfortunately, the research article didn't provide any examples of a middlebox. However, upon further rereading of the article it sounds like the bad actor who is committing the DDoS and trying to use the Sophos device to amplify the attack would need to be coming from with my local network. 

I'd love a response from Sophos on this, to confirm that their device isn't susceptible to this attack, but for the time being I'll keep running the Sophos XG.

Thanks for the response!

My bad, turns out I did already have those two settings enabled! Maybe they are on by default? I'm a little spotty on managing the config log for this device.