Cyberoam provides several security options that cannot be defined by the firewall rules. This includes protection from several kinds of “Denial of Service attacks”. These attacks disable computers and circumvent security.
Denial of Service (DoS) attack is a method hackers use to prevent or deny legitimate users access to a service.
DoS attacks are typically executed by sending many request packets to a targeted server (usually Web, FTP, or Mail server), which floods the server's resources, making the system unusable. Their goal is not to steal the information but disable or deprive a device or network so that users no longer have access to the network services/resources.
All servers can handle traffic volume up to a maximum, beyond which they become disabled. Hence, attackers send a very high volume of redundant traffic to a system so it cannot examine and allow permitted network traffic. Best way to protect against the DoS attack is to identify and block such redundant traffic.
Packet rate per Source
Total number of connections or packets allowed to a particular user.
Burst rate per Source
Maximum number of packets allowed to a particular user at a given time.
Packet rate per Destination
Total number of connections or packets allowed from a particular user.
Packet rate per Destination
Maximum of packets allowed from a particular user at a given time.
How it works
When the brust rate is crossed, Cyberoam considers it as an attack. Cyberoam provides DoS attack protection by dropping all the excess packets from the particular source/destination. Cyberoam will continue to drop the packets till the attack subsides. Because Cyberoam applies threshold value per IP address, traffic from the particular source/destination will only be dropped while the rest of the network traffic will not be dropped at all i.e. traffic from the remaining IP addresses will not be affected at all.
Time taken to re-allow traffic from the blocked source/destination = time taken to subside the attack + 30 seconds
For example
Packet rate per Source – 100 packets per second Burst rate per Source – 200 packets per second
When user starts sending requests, initially user will be able to send 200 packets per second but once the 200 packets are received, in the next phase user will be able to send only 100 packets per second.
So in the next phase, if user sends 150 packets per second, Cyberoam will consider it as an attack and drop 50 (150 -100) packets. Cyberoam will accept traffic from the user only after 30 seconds of dropping the packets.
Threshold values
Cyberoam uses packet rate and brust rate values as a threshold value to detect DoS attack. These values depend on various factors like:
• Network bandwidth
• Nature of traffic
• Capacity of servers in the network
These values are applicable to the individual source or destination i.e. requests per user/IP address and not globally to the entire network traffic. For example, if source rate is 2500 packets/minute and the network consists of 100 users then each user is allowed packet rate of 2500 packets per minute.
Configuring high values will degrade the performance and too low values will block the regular requests.
Hence it is very important to configure appropriate values for both source and destination IP address.
Configure DoS Settings
Select Firewall → DoS Setting
Screen – DoS Settings Define the attack definition from Firewall → DoS Settings (Attack definition can be defined both for source and destination) 35. Define SYN flood.
Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and destination.
Click Apply Flag to apply the SYN flood definition and control the allowed number of packets.
Click ‘SYN Flood’ to view the real time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted.
SYN Flood is the attack in which large numbers of connections are send so that the backlog queue overflows. The connection is created when the victim host receives a connection request and allocates for it some memory resources. A SYN flood attack creates so many half-open connections that the system becomes overwhelmed and cannot handle incoming requests any more.
36. Define UDP flood
Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and destination.
Click Apply Flag to apply the UDP flood definition and control the allowed number of packets.
Click ‘UDP Flood’ to view the real time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted.
User Datagram Protocol (UDP) Flood links two systems. It hooks up one system’s UDP character-generating service, with another system’s UDP echo service. Once the link is made, the two systems are tied up exchanging a flood of meaningless data
37. Define TCP flood
Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and destination.
Click Apply Flag to apply the TCP flood definition and control the allowed number of packets.
TCP attack sends huge amount of TCP packet so that the host/victim computer cannot handle.
38. Define ICMP flood
Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and destination.
Click Apply Flag to apply the ICMP flood definition and control the allowed number of packets.
Click ‘ICMP Flood’ to view the real time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted.
ICMP attack sends huge amount of packet/traffic so that the protocol implementation of the host/victim computer cannot handle.
39. Drop Source Routed Packets
Click Apply Flag to enable. This will block any source routed connections or any packets with internal address from entering your network.
40. Disable ICMP redirect packet
An ICMP redirect packet is used by routers to inform the hosts what the correct route should be. If an attacker is able to forge ICMP redirect packets, he or she can alter the routing tables on the host and possibly weaken the security of the host by causing traffic to flow via another path.
Set the flag to disable the ICMP redirection.
41. Disable ARP flooding
ARP attack sends ARP requests at a very high rate to the server. Because of this, server is overloaded with requests and will not be able to respond to the valid requests. Cyberoam protects by dropping such invalid ARP requests.
42. Click Update to save the configuration
43. Bypass DoS Settings
Cyberoam allows bypassing the DoS rule in case you are sure that the specified source/destination will never be used for flooding or want to ignore if flooding occurs from the specified source.
Create DoS bypass rule
Select Firewall → Bypass DoS
Screen – Create DoS bypass rule
Screen Elements Description Source and Destination Information Source Domain
name/IP Address
Source Domain name, IP address or Network on which the DoS rule is not to be applied
Specify source information
Specify * if you want to bypass the complete network Source Port Specify source port address.
Specify * if you want to bypass all the ports
DoS will not be applied on all the requests from the specified source IP address and port
Destination
Domain name/IP Address
Destination Domain name or IP address on which the DoS rule is not to be applied
Specify destination information
Specify * if you want to bypass the complete network Destination Port Specify destination port address.
Specify * if you want to bypass all the ports
DoS will not be applied on all the requests from the specified destination IP address and port
Network Protocol
Select protocol whose traffic is to be bypassed for specified source to destination.
For example,
If you select TCP protocol then DoS rules will not be applied on the TCP traffic from the specified source to destination.
Create button Creates the bypass rule
Table – Create DoS bypass rule screen elements
Delete DoS bypass rule
Select Firewall → Bypass DoS
Screen – Delete DoS bypass rule
Screen Elements Description
Select Select rule for deletion Click Del to select
More than one rule can also be selected Select All Select all rules
Click Select All to select all rules Delete button Deletes all the selected rules
Click to delete
Table – Delete DoS bypass rule screen elements