Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

How to stop HPING3 flooding ICMP/UDP/TCP against firewall or passing through it

SEBASTIANSEBASTIAN Newbie
edited September 2020 in Mid Range Firewalls

Hi!

Yesterday night I was playing with HPING3 tool. And I realized I could freeze my TZ300 with a flood attack.

I have searched for any article on the Sonicwall knowledge base that could give me some ideas to stop an attack like this one.

Of course, I have enabled IPS/IDS and I also configured some parameters on "Firewalls Settings / Flooding Protection"

On the other hand, whats would happen if my target is a published service on the firewall? I mean, a server behind the firewall listening on port TCP 80, for example.

Any help on this, please?

Category: Mid Range Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @SEBASTIAN

    how many connections (concurrent) does it took to bring the TZ 300 down and what protocol was used? Did the traffic flow went from LAN -> WAN or LAN -> DMZ?

    Was the connection limit reached? Did you tried to limit the allowed max. connections in the access rules (advanced tab), which can only be a percentage value instead of a absolute value?

    --Michael@BWC

  • I did the test sending 15000 packets at the best speed possible.

    Protocol used was TCP, destination port 443. I did it also with destination port TCP 442.

    The flow of the traffic was WAN-Firewall itself.

    Since this is an attack to the firewall and I did it with an unused port (TCP 442), I do not know what ACL to configure.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @SEBASTIAN

    yep you're right, TCP/442 hits probably the implicit Drop-All clean-up rule. The Flood Protection did not got triggered in any way?

    What are your settings for the TCP Flood Protection? I would try to reproduce.

    --Michael@BWC

  • Sorry, I would like to see first why the firewall is having this behavior when I enable ICMP Flood Protection.

    With this configuration (I have attached a capture) core 1 goes up to 80%.

    While the attack is running, I also have other PCs doing PING to other IP addresses beyond the firewall. And all of them stop receiving ICMP replies.

    I think the firewall should stop just the attack coming from PC running HPING3 .


  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @SEBASTIAN

    Enable Control plane flood protection also to prevent the flood attack.


  • This option would solve PINGs against firewall.

    What about PINGs from LAN to WAN?

    I will continue with more tests this week. And I will keep you informed with the results.

    Thanks!

Sign In or Register to comment.