DDOS Configuration

Overview:

Distributed Denial of Service or more commonly known as DDoS attack is an malicious attempt to disrupt the normal flow of traffic of a targeted server, or network byt overwhelming the target with a flood of internet traffic.

zWAN provides basic support for DDoS or DoS attacks, but if the attacker's traffic has already passed your ISP and reaching the EC, the link to the EC is already exhausted which would disrupt the normal traffic flow. What zWAN DDoS does is that, once an attack is detected based on the thresholds configured, it will stop processing the packets and drop them. This prevents wastage of CPU and Memory resources on the EC and also prevents any KP or OOM killers from getting exercised.

Functionality:

DDoS can be enabled/disabled on a global basis
DDoS can be enabled/disabled on a per WAN interface
Attack Thresholds can be set for different type of traffic per source. The attacks thresholds are mainly
- ICMP FLOOD Defaults : 300 packets/sec
- UDP FLOOD Defaults : 1000 packets/sec
- TCP SYN Defaults : 300 packets/sec
- TCP RST Defaults : 50 packets/sec
- SSH BRUTEFORCE Defaults : 10 packets/sec
IPs that attempted to attack or portscan the EC can be viewed
Permanent or temporary allowLists and blockLists are supported

Please note : In order for DDOS to work, the firewall INPUT policy should be set to default DROP.

Configuration Parameters

DDOS Status

DDOS

Configure DDOS per interface

DDOS

DDOS Settings for ICMP FLOOD, UDP FLOOD, TCP SYN, TCP RST, and SSH BRUTEFORCE

DDOS

DDOS IP List

Spoofed Addresses

There are IP Networks which are not seen if the EC is directly facing the Internet Network. If the EC is in an internal network and if a 10.0.0.0/8 ip is possible then the spoof address entries need to be updated accordingly before enabling DDOS

DDOS

Attack

IPs that attempted to attack or portscan the EC will be added to a temporary DDOS List for a 5 minute time period. The 5 minute timeperiod is enforced so that any false positives get automatically removed from the list after that time or even manually removed by the user.

Note : TCP-RST attacks will not be added to the DDOS list as they are spoofed IPs of actual source machines. If a TCP-RST attack is detected then we will drop the packets based on the threshold configured and log the same.

DDOS

PortScan

There are external devices which try to run a portscan on the EC. They are then blocked of for a day. If there is a false positive then those IPs can be manually removed by the user.

DDOS

zWAN as a Solution

zTC as a Solution

Secure Endpoint Solutions

Zero Trust Network

Network Infrastructure

Network Storage

DDOS Configuration

SnapOS

SnapOS

Getting Started

Session Connections

Peripheral & Application Management

Security & Certificates

System Administration & Updates

Diagnostics & Recovery

Support & Resources

zMAN

Overview & Architecture

Installation & Setup

Onboarding

Analytics & Monitoring

Device Management & Dashboard

Firmware & Repository Management

Profiles & Settings Management

Support & Resources

zDM Integration & Provisioning

User Management

Configuration

Firmware Update

Reset VNC

Task Management

Repository Management

Server Configuration

Provisioning

Group Management

Solutions

Voice-Over-IP/Video Conferencing

Validation and Test Cases

Proof of Concept Test Cases

zTC

Diagnostics & Recovery

Getting Started

Peripheral & Application Management

Security & Certificates

Session Connections

Support & Resources

System Administration & Updates

zWAN

Deployment

Getting Started

Introduction

Configuration

Installation Guides

POC Evaluation

Director

Device Management

Edge Controllers

Analytics

System

Backup and Restore

Network

Analytics

Reporting

Alerting

User Management

Edge Controllers

z25

Troubleshooting

z40

Device Management

z50

Troubleshooting

Frequently Asked Questions

zAccess

Endpoint Sessions

Event Logs

Gateway Devices

Network Configuration

Policy Configuration

StorTrends