Skip to main content
Versa Networks

Configure SD-WAN DoS Protection Profiles

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

You can configure Versa Operating SystemTM (VOSTM) devices to detect and mitigate denial-of-service (DoS) attacks. A DoS attack is an attempt to disrupt network services and deny network access by overloading unnecessary traffic using multiple sources.

To apply DoS protection, you define DoS protection profiles, and then you reference the profile in a DoS protection policy. DoS protection profiles monitor thresholds for various protocols based on an endpoint-classified or aggregate basis. A DoS protection profile provides detailed control for denial-of-service (DoS) protection policies. A DoS protection profile specifies the threshold rate of incoming packets and the action the firewall takes to protect against the DoS attack. The DoS protection profile is attached to the DoS protection policy rule, which establishes the matching criteria for packets that are subject to Deny, Allow, or Protect actions.

This article describes how to configure a DoS protection profile. For information on DoS protection policies, see Configure SD-WAN DoS Protection Policies.

Configure a DoS Protection Profile

  1. In Tenant view, select Configure > Secure SD-WAN > Security > Profiles.

    security-profiles-1.png
  2. Select the DoS Protection tab. 
    • If you have not yet configured a DoS protection profile, click Add DoS Protection Profile. 
    • If you have configured one or more DoS protection profiles, the following screen displays. Click the + icon. 

      dos-protection-1.png

      The Add DoS Protection Profile workflow displays.

      dos-protection-flow.png
  3. In step 1, Profile Type, enter information for the following fields.

    dos-profile-type.png
     
    Field Description
    Protection Type

    Select the type of protection to monitor the thresholds of the protocols:

    • Classified—Applies the thresholds of all packets that match the rule criteria with the classification below.
    • Aggregate—Applies the thresholds of all packets that match the rule criteria with which this profile is associated.
    Maximum Sessions Enter the maximum number of sessions to allow for traffic.
    Classification Key

    For a classified profile, select the key to classify the attack:

    • Destination IP Only—Apply the DoS profile on the destination IP address of the attack.
    • Source IP Only—Apply the DoS profile on the source IP of the attack.
    • Source and Destination IP—Apply the DoS profile on both the source and destination of the attack.
    Advanced Settings Click to configure flood protection.
    Flood Protection Protocols Click the toggle for one or more protocols enable flood protection for that protocol. If enabling TCP, choose which action to take when the active rate threshold is breached.

    dos-flood-protection.png
    Alarm Rate

    Enter the threshold rate at which to generate a DoS alarm, in packets per second.

    Range: 1 through 20000000 packets per second

    Default: 100000 packets per second
    Active Rate

    Enter the threshold rate at which to activate a DoS response, in packets per second.

    Range: 1 through 20000000 packets per second

    Default: 100000 packets per second
    Max Rate

    Enter the threshold rate of incoming packets, in packets per second. When this threshold is exceeded, all packets are dropped.

    • For aggregate DoS protection profile, this limit applies to all the traffic processed by the DoS protection rule with which this DoS protection profile is associated.
    • For classified DoS protection profile, this limit applies to the traffic on a classified basis (based on the source IP address, destination IP address, or both), for the traffic processed by the DoS protection rule with which this DoS protection profile is associated.

    Range: 1 through 20000000 packets per second

    Default: 100000 packets per second
    Drop Period

    Enter the duration, in seconds, when offending packets are dropped. Traffic dropped during this time is not counted when triggering an alert.

    Range: 1 through 18000 seconds

    Default: 300 seconds
    Action

    Select the action to take when the active rate threshold is breached:

    • Random Early Drops—Randomly drop packets.
    • SYN Cookies—Generate an acknowledgment, and ensure that the connection is not dropped during a SYN flood attack. This is the default.

    Default: SYN Cookies
  4. Click Next or select step 2, Permissions.
  5. The permission for each role is selected by default, and you can update it. To change permissions for a role, select or deselect the Create, Read, Update, and Delete fields for the role.

    permissions.png
  6. Click Next or select step 3, Review and Submit.
  7. Enter a name for the DoS protection profile. You can also enter a description and tags. A tag is an alphanumeric descriptor, with no white spaces or special characters, that you can use to search the objects.

    review-submit-basic.png
  8. For all other sections, review the information. If you need to make changes, click the edit-icon-blue-on-white.png Edit icon.
  9. Click Submit to create the DoS protection profile.

 

Supported Software Information

Releases 13.1.1 and later support all content described in this article.