Knowledge Base

This is the home of Release Notes, Known Issues, FAQs, and other documents that provide important information for customers.

StoneGate IPS Denial of Service (DoS/DDoS) Protection

Rate-based DoS
Resource consumption attacks using traffic flooding.

SYN flood protection :
IPS mitigates the SYN flood attacks by preventing SYN packets of reaching the target system from spoofed sources under Denial-of-Service attack. IPS can identify legitimate traffic sources from spoofed ones by acting as a proxy between client and server. Typical script-kiddie generated SYN floods can be identified and prevented using this technique. Syn flood protection must be manually activated for desired services in Inspection Rules.
Note! Distributed Denial of Service (DDoS) attacks (e.g. using "botnets"/ "zombies"), that are valid hosts used for DDoS attack, cannot be identified from legitimate hosts using SYN flood detection techniques. Thus, SYN flood protection is not efficient against DDoS/ connection flood attacks!

UDP flood protection:
IPS protects network services from UDP floods by rate limiting the incoming UDP datagrams from one or more sources to a single destination host and port. If the UDP rate limit is exceeded the IPS simply stops the UDP traffic to the host in question for a second and resets the counter if flood stops. Udp flood protection must be manually activated for desired services in Inspection Rules.

Connection flood protection:
StoneGate can be configured to protect from connection flood/ DDoS attacks by combining two techniques: IPS Event Correlation and FW/IPS Blacklisting.

Main configuration steps:
1. Configure IPS/IDS sensor to log the incoming connections for the protected network service. E.g. HTTP service.
2. Configure Analyzer to Count the HTTP connections per IP pair (maximum number of connections in time period per IP pair).
3. Configure IPS to automatically blacklist violating source IP address for desired time period on Firewall and/or IPS when defined connection threshold is exceeded

Please note that ISP links prior to StoneGate may become a bottleneck under DoS/DDoS attack, even with DoS protection active in StoneGate.

Non-rate-based DoS
Illegal input DoS attacks: Bonk, Jolt, Land, Nestea, Newtear, Syndrop, Teardrop