DDOS attack is a malicious attempt to disrupt normal network services of an end machine which could be a server, service, or the network itself by flooding the infrastructure with a flood of traffic using single or multiple sources. This is a very prevalent form of compromising systems that are connected to the Internet and results in the network or resources being unavailable for its intended use and/or users. DDOS attacks typically include port scans, flooding the network with TCP, ICMP probes, host sweeping and attacks involving high volumes of small packets.

Versa Secure SD-WAN DOS Protections provides more granular control and configuration for the prevention of such attacks using policies that can be defined based on Zones, Source, and destination IP addresses, IP headers and TCP & UDP services.

To apply DoS protection, define DoS protection profiles, and then reference the profile in a DoS protection policy. Versa Secure SD-WAN gives the user the flexibility to define two types of protection profiles – ‘Aggregate’ and ‘Classified’ DoS Profiles.

Aggregate DoS Profile monitors the threshold for all the traffic for various protocols that match the rules defined in the DoS Policy – typically used to defend attacks targeting an entire subnet and the source also spread across a wide range of IP addresses.

In a classified DoS profile, you set the classification key to source and destination IP address to monitor the thresholds based on a per-source and destination IP address basis. The rate at which packets are received is tracked per-protocol, per-source-and-destination-IP-address. You use classified DoS profiles to defend against DoS attacks targeted against specific endpoint hosts, based on the destination IP address or to narrow down the source of the DoS traffic to a few source IP addresses.

Versa SD-WAN DOS Protection is a part of the Stateful Firewall feature, and an appropriate subscription must be selected.

DOS Protection configuration has two components. They are –

DOS Profile	• Define criteria for the type of Profile – Aggregate or Classified • Define the Flood Protection Thresholds specific for each Protocol, rate limit thresholds and drop period in case of a breach, along with the mitigation action to be taken
DOS Policy	This is used to match a certain type of traffic based on IP headers, port numbers, services and the action to be taken – Allow, Deny or Protect and match the DOS Profile created

The topology has a Versa SD-WAN CPE implemented at a Branch having DIA. A remote attacker is generating flood attack traffic towards the LAN from the Internet. The DOS Security policy implemented on the Versa CPE blocks this attack.

Objectives:

A. Configure a DOS Profile to define thresholds for Internet-sourced traffic towards a LAN subnet or endpoint

B. Define DOS policy rule to match this traffic flow and map the DOS profile created earlier

Step 1: DOS Profile Configuration

Navigate to Configuration > Services > Next Gen Firewall (or Stateful Firewall) > DOS > Profiles > +Add

Choose the type of Profile. Enable and configure the Flood Protection section as per requirement.

Alarm Rate	Defines the threshold rate at which a DoS alarm has to be triggered (in packets per second)
Activate Rate	Defines the threshold rate at which to activate a DoS response(mitigation action) (in packets per second)
Maximal rate	Defines the threshold rate of incoming packets (in packets per second) above which all packets are dropped. For aggregate profile, it applies to all traffic processed by the DoS protection rule For classified profile, it applies to the classified traffic (based on classification key defined in profile) matching the DoS protection rule
Drop Period	Duration in Seconds, for which the packets are dropped. Traffic dropped during this period is not counted when triggering an alert.
Action	Mitigation action to be taken when the active rate threshold is breached – Random Early Drops – Randomly Drop Packets – SYN Cookies – Generate an acknowledgment and ensure connection from dropping during SYN flood attack. This is the Default.

Step 2 : Create a DOS Policy

From Configuration > Services > Next Gen Firewall (or Stateful Firewall) > DOS > Policies > Policies > +Add

– Create a DOS rule

From Configuration > Services > Next Gen Firewall (or Stateful Firewall) > DOS > Policies > Rules > +Add

– Define the source and destination fields to match targeted traffic

–  Under Enforce tab, choose Action as “Protect” and map the profile created earlier in Dos Profile field. Enable logging as desired.

NOTE: Make sure the desired scenario/traffic flow is allowed by the VOS firewall rules & doesn’t hit the implicit deny or any other block-rule (under Next Gen Firewall > Security > Policy > Rules).

In this example, when there is a flood attack from the Internet towards any internal IP, the Versa SD-WAN CPE detects and automatically drops the traffic. This can be verified using the Monitor Tab, Analytics, and the CLI.

i. The Monitor Tab shows the near real-time traffic and hit count on the DOS policy. The Drop count confirms the behaviour of DDOS protection.

ii. The cli command output of the same –

Session detail also confirms the same behavior by identifying the “drop-module” as “ddos” –

iii. Detailed logs on Analytics indicates the DDOS Protection in action, under Logs > Threat Detection > DDoS

Dashboard > Security > Threats > DDoS tab on Analytics shows an overview of the Top 5 threats/attack  –

This document explained in brief about enabling DOS Protection in an SD-WAN Branch. The use of Classified DOS profile gives more insights into the details of the attacker and victim. In addition, other features like schedulers, services including custom services can also be combined and mapped to a DOS policy to give the users more control over the type of traffic to be protected.