Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 2230 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN SLOW - Intrusion Prevention DOS - UDP flood

AstaroNBack

The following article fixed the issue.  - EXCELENT 

https://community.sophos.com/sophos-xg-firewall/f/discussions/129676/sophos-firewall---extremely-poor-bandwidth-when-dos-enabled/483292?focus=true

Unfortunately a Sophos engineer helping us was unaware that DOS UDP flood protection will ruin a perfectly good VPN. 

Do NOT click the Apply Flag box for UDP flood Source if you have VPN clients.



This thread was automatically locked due to age.
Parents
  • 0

    How does a Flood Protection increase Security of a appliance by any means? 

    I still not able to find a use case of Flood Protection within a setup of a Firewall appliance. If somebody starts to flood you with a DDOS attack, they will likely bring you down. You cannot stop them to send you packets. Even if the appliance is dropping the packets at a high rate, it still floods the connections. 

    Personally i am not using Flood Protection at all - It does not give any benefit to my security from my perspective. If i want to decrease the chance of getting a flood attack, ISPs can spin up technology to protect against such attacks (see Enterprise applications etc.). But on a Layer4 Level like here, it is hard to figure out how to deal with this attack. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Even that this function doesn't work as customers expect, there should be at least a one-time warning for new installations. (This would prevent some customers from having to open a support case without any actual need.)

    Also, is there any useful need besides backwards compability for this feature?

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • 0 in reply to Prism

    The feature could be useful for an actual DOS attack against devices behind the firewall. (Say a web server.)

    I agree that there should be some text at the top of the screen explaining that DOS protection will probably not block DDOS and will not protect the firewall itself (only things behind it). And mention that it can be surprising how it works and to carefully monitor it for some time after enabling it, watching for a lot of action. In particular it can kill VoIP or other high-traffic (even if low-volume of data) protocols. 

    Last, it's direction-agnostic and will "protect" the Internet from a "DOS" from your really fast laptop.

    Personally, I think it should be changed to be directional so you could enable it only for incoming WAN traffic. Maybe it should only apply to gateways and have an IN/OUT option.

  • 0 in reply to Wayne Folta
    Wayne Folta said:
    The feature could be useful for an actual DOS attack against devices behind the firewall.

    That's the exact problem, this feature won't protect the web server from a DDOS attack, or even your own network.

    DDOS attacks should be mitigated by your upstream internet provider, or if It's a web server, then WAF/CDN. (Akamai/Cloudflare)

    If the DDOS attack surpass your WAN bandwidth, then any mitigation you make directly on the Firewall will be useless.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • 0 in reply to Prism

    Right, that's what I said: could protect against a DOS attack, not so much a DDOS attack. And it is labeled DOS, not DDOS, so there's truth in advertising at least. Except now-a-days anyone who actually has knowledge and wants to disrupt things would use a DDOS attack which the simplistic "lots of traffic from one host" doesn't do much to stop. And, as you say, an attack that manages to fill your link's download capacity will mess things up even if you stop everything at the firewall.

    Personally, I think there should be DOS capabilities on a firewall that are oriented towards protecting the firewall itself from overload -- filling buffers/tables, causing race conditions, etc -- so it's not looking at traffic per-se but rather the impact that traffic is having on the firewall's integrity. (I.e. I can imagine an attack that floods a firewall in such a way that Snort crashes and then there's a window for sending traffic through that IPS would otherwise stop.)

    To stop DDOS, you need an infrastructure, not a single device.

Reply
  • 0 in reply to Prism

    Right, that's what I said: could protect against a DOS attack, not so much a DDOS attack. And it is labeled DOS, not DDOS, so there's truth in advertising at least. Except now-a-days anyone who actually has knowledge and wants to disrupt things would use a DDOS attack which the simplistic "lots of traffic from one host" doesn't do much to stop. And, as you say, an attack that manages to fill your link's download capacity will mess things up even if you stop everything at the firewall.

    Personally, I think there should be DOS capabilities on a firewall that are oriented towards protecting the firewall itself from overload -- filling buffers/tables, causing race conditions, etc -- so it's not looking at traffic per-se but rather the impact that traffic is having on the firewall's integrity. (I.e. I can imagine an attack that floods a firewall in such a way that Snort crashes and then there's a window for sending traffic through that IPS would otherwise stop.)

    To stop DDOS, you need an infrastructure, not a single device.

Children
No Data
Unfiltered HTML