DDOS Configuration

Overview:

An IPv6 DDoS attack is a cyberattack where a malicious actor floods a target system or network with a massive amount of traffic using IPv6 addresses. This overwhelms the target, making it unavailable to legitimate users.

Increased address space: IPv6 offers a vastly larger address space compared to IPv4, making it easier for attackers to generate a massive amo
unt of traffic.

Bypass traditional defenses: Some traditional security measures may not be fully equipped to handle IPv6 traffic, leaving systems vulnerable.

Functionality:

DDoS protection can be globally enabled or disabled.
DDoS protection can also be configured on a per-WAN interface basis.
Thresholds for various attack types can be adjusted per source. The default thresholds are as follows:
- ICMP Flood: 300 packets/sec
- UDP Flood: 1000 packets/sec
- TCP SYN: 300 packets/sec
- TCP RST: 50 packets/sec
- SSH Brute Force: 10 packets/sec
The system allows viewing of IPs that have attempted to attack or port scan the EC.
Support for both permanent and temporary allow lists and block lists is available.

Important: DDoS protection requires the firewall’s INPUT policy to be set to "default DROP" for proper operation.

Configuration Parameters

DDOS Status

DDOS

Configure DDOS per interface

DDOS

DDOS Settings for ICMP FLOOD, UDP FLOOD, TCP SYN, TCP RST, and SSH BRUTEFORCE

DDOS

DDOS IP List

Spoofed Addresses

Certain IP networks may not be visible if the EC is directly connected to the Internet. For instance, if the EC resides within an internal network and a ::ffff:0:0/96 IP range is in use, the spoofed address entries should be updated accordingly before enabling DDoS protection.

DDOS

Attack

IPs that attempt to attack or perform port scanning on the EC will be added to a temporary DDoS list for a duration of 5 minutes. This time period helps ensure that any false positives are automatically cleared from the list, or can be manually removed by the user.

Note: TCP-RST attacks will not be included in the DDoS list, as these attacks involve spoofed IPs of legitimate source machines. When a TCP-RST attack is detected, the packets will be dropped according to the configured threshold, and the event will be logged.

DDOS

PortScan

External devices attempting to run a port scan on the EC will be blocked for a 24-hour period. In case of a false positive, the affected IPs can be manually removed by the user.

DDOS

zWAN as a Solution

zTC as a Solution

Secure Endpoint Solutions

Zero Trust Network

Network Infrastructure

Network Storage

DDOS Configuration

SnapOS

SnapOS

Getting Started

Session Connections

Peripheral & Application Management

Security & Certificates

System Administration & Updates

Diagnostics & Recovery

Support & Resources

zMAN

Overview & Architecture

Installation & Setup

Onboarding

Analytics & Monitoring

Device Management & Dashboard

Firmware & Repository Management

Profiles & Settings Management

Support & Resources

zDM Integration & Provisioning

Solutions

Voice-Over-IP/Video Conferencing

Validation and Test Cases

Proof of Concept Test Cases

zTC

Diagnostics & Recovery

Getting Started

Peripheral & Application Management

Security & Certificates

Session Connections

Support & Resources

System Administration & Updates

zWAN

Deployment

Getting Started

Introduction

Configuration

Installation Guides

POC Evaluation

Director

Device Management

Edge Controllers

Analytics

System

Backup and Restore

Network

Analytics

Reporting

Alerting

User Management

Edge Controllers

z25

Troubleshooting

z40

Device Management

z50

Troubleshooting

Frequently Asked Questions

zAccess

Endpoint Sessions

Event Logs

Gateway Devices

Network Configuration

Policy Configuration

StorTrends

Best Practice Guides

Configuration Guides

DDOS Configuration

Overview:

Functionality:

Configuration Parameters

DDOS Status

Configure DDOS per interface

DDOS Settings for ICMP FLOOD, UDP FLOOD, TCP SYN, TCP RST, and SSH BRUTEFORCE