How to stop HPING3 flooding ICMP/UDP/TCP against firewall or passing through it
edited September 2020 in Mid Range Firewalls
Yesterday night I was playing with HPING3 tool. And I realized I could freeze my TZ300 with a flood attack.
I have searched for any article on the Sonicwall knowledge base that could give me some ideas to stop an attack like this one.
Of course, I have enabled IPS/IDS and I also configured some parameters on "Firewalls Settings / Flooding Protection"
On the other hand, whats would happen if my target is a published service on the firewall? I mean, a server behind the firewall listening on port TCP 80, for example.
Any help on this, please?
Category: Mid Range Firewalls
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
how many connections (concurrent) does it took to bring the TZ 300 down and what protocol was used? Did the traffic flow went from LAN -> WAN or LAN -> DMZ?
Was the connection limit reached? Did you tried to limit the allowed max. connections in the access rules (advanced tab), which can only be a percentage value instead of a absolute value?
I did the test sending 15000 packets at the best speed possible.
Protocol used was TCP, destination port 443. I did it also with destination port TCP 442.
The flow of the traffic was WAN-Firewall itself.
Since this is an attack to the firewall and I did it with an unused port (TCP 442), I do not know what ACL to configure.
yep you're right, TCP/442 hits probably the implicit Drop-All clean-up rule. The Flood Protection did not got triggered in any way?
What are your settings for the TCP Flood Protection? I would try to reproduce.
Sorry, I would like to see first why the firewall is having this behavior when I enable ICMP Flood Protection.
With this configuration (I have attached a capture) core 1 goes up to 80%.
While the attack is running, I also have other PCs doing PING to other IP addresses beyond the firewall. And all of them stop receiving ICMP replies.
I think the firewall should stop just the attack coming from PC running HPING3 .
Enable Control plane flood protection also to prevent the flood attack.
This option would solve PINGs against firewall.
What about PINGs from LAN to WAN?
I will continue with more tests this week. And I will keep you informed with the results.