Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NSA2700 max connections during ddos

My NSA 2700 stops working during a ddos, it reaches the max connections of 500.000. The attack seems to be a syn flood and also or caused by requesting an url on a webserver behind the firewall.

I have already enabled:

a. ingress / egress max bandwidth on the WAN connection and reduced the max connections per ip

b. geo bloking

c. ips/ips

d. all of the tcp flood protection settings and reduced the tcp timeout to 5 minutes

e. udp flood protection

f. icmp flood protection

g. Layer 3 syn flood proction / proxy all WAN connections

h. all of the WAN ddos protection (non tcp floods)


I have not enabled

a. Layer 2 syn flood

b. Mac IP anti-spoof


Any suggestions would be appreciated

Category: High End Firewalls
Reply

Answers

  • prestonpreston Enthusiast ✭✭

    Hi @ Laurens, do a packet trace to the server on the SonicWall you may find the issue is to do with the settings in the guide below, when I've had this issue before it was to do with this causing the connections to Max out, also check the endpoint (server) has not been infected and is acting as part of a botnet.

    https://www.sonicwall.com/support/knowledge-base/dropped-packets-because-of-invalid-tcp-flag/170504420448221/

  • LaurensLaurens Newbie ✭

    Hi Preston,


    Thanks for the article, when the ddos attack started we had the "Enforce strict TCP compliance with RFC 793 and RFC 1122" setting off, in an attempt to mitigate we set this to on with no effect. We don't believe the server is part of the botnet because the ddos tries to overwhelm a web application we run. So when the attack starts the web server gets overloaded with requests, we also see the sonicwall more or less immediately jump to its max connections. I believe there is a lag in the sonicwall interface and as far as I can gather from the datacenter statistics the 1Gbps inbound connection gets overloaded with data within a few seconds. As part of the ddos protection from the datacenter, after 90 seconds the datacenter null routes all the inbound traffic for the specific ip address. The firewall requires approximately 15 minutes to get back to normal after which time the datacenter stops null routing and the cycle starts again. I believe its a massive synchronized attack.


    I think step 1, is to ensure the firewall doesn't get overloaded, so probably it might be a good idea to restrict the number of connections per ip address and restrict the number of connections the firewall is allowed to pass on to the webserver. Any suggestions on this will be appreciated.


    ps. even with syn flood protection and restricting the number of connections to 50% (250,000) the NSA2700 seems to barely manage the load. In this context I'm very disappointed in this SonicWall product.

  • prestonpreston Enthusiast ✭✭
    edited June 26

    Hi Laurens , how many devices do you have behind the NSA2700 ? you might want to enable if you haven't already the Geoip and the Botnet filter.

    also in the Firewall advanced settings enable Stealth mode and Randomize IP ID

    https://www.sonicwall.com/en-us/support/knowledge-base/170505400210715

  • LaurensLaurens Newbie ✭

    Hi Preston,

    Behind the firewall are 4 physical servers, only two of them serve inbound traffic of which one has a minimal load, the others are for backup and redundancy.

    Both Stealth mode and Randomize IP ID are on.

    We also use the GeoIp to block Asia, Africa, and Russia and use the Botnet filter.

Sign In or Register to comment.