WebUI
NOTE: You must use the CLI to configure the aggressive age-out settings.
CLI
set flow aging low-watermark 70 set flow aging high-watermark 80 set flow aging early-ageout 4 save
CPU Protection with Blacklisting DoS Attack Traffic
When a DoS attack occurs, the CPU recognizes the attack traffic and drops it. This can cause high CPU utilization and might make the security device drop all packets, including critical traffic such as management traffic. To prevent this, you can configure the security device to drop malicious packets within the device itself that processes them, after the CPU has recognized malicious traffic. In this mechanism, you create a blacklist of IP addresses from which malicious traffic reaches the security device, based on which the CPU instructs the device to drop the traffic. This saves significant processing load on the CPU during DoS attacks.
NOTE: The blacklist protection feature is not available for the following traffic conditions:
• IPV6 traffic
• IPV4 traffic when IPv6 is set as environment variable
• Traffic that has hardware session enabled
When a packet reaches the device, the packet processing hardware checks the packet against the list of blacklist entries. If a match occurs, the device drops that packet. If the packet does not match any blacklist entry, the device passes the packet to the next stage that prioritizes the packet. For each entry in the blacklist, the security device maintains
devices that support virtual systems but do not support blacklist creation, CPU protection features such as rate limiting apply.
Creating a Blacklist
To implement blacklisting of DoS attack traffic, you create a blacklist. The security device CPU screens the traffic that reaches it and determines if a flow matches a DoS attack pattern. If a packet matches the blacklist entry, the device drops the packet.
You can set the timeout value for each of the blacklist entries. To permanently block specific traffic that has been identified as DoS attack traffic, set the timeout value for that blacklist entry to 0.
You create the blacklist with the following information:
Description Field
The source IP address from which the DoS attack traffic originated Source IP Address
The destination IP address.
Destination IP Address
The source port in a TCP or UDP session. Setting this to 0 matches all ports
Source Port
The destination port in a TCP or UDP session. Setting this to 0 matches all ports.
Destination Port
Set this to 0 to match any protocol. The source port and destination port are valid only when you have set the protocol as UDP or TCP
Protocol
Range is 0–32. Setting this to 0 matches all source IP addresses.
Source IP Address Mask
Range is 0–32. Setting this to 0 matches all destination IP addresses.
Destination IP Mask
The ID of the blacklists. Range is 0–31.
Blacklist ID
The time out for the blacklist entry in the range 0 to 600 minutes. If you set the timeout for a blacklist entry to 0, the security device never times out that entry. The security device saves only the permanent entries in the blacklist configuration.
Timeout
Example
In this example, you create a blacklist entry that times out after 90 minutes.
WebUI
Configuration > CPU Protection > Black List > New: Enter the following, then click OK:
ID: 1
Source IP/Netmask: 1.1.1.0/24 Source Port: 5
Destination IP/Netmask : 2.2.2.0/24
Chapter 3: Denial of Service Attack Defenses
Destination Port: 7 Protocol: 17 Timeout: 90 CLI
set cpu-protection blacklist id 1 1.1.1.0/24 2.2.2.0/24 protocol 17 src-port 5 dst-port 7 timeout 90
save
NOTE: You cannot create a blacklist entry with the source IP address mask, the destination IP address mask, and the protocol values set to 0.
Prioritizing Critical Traffic
In addition to dropping the malicious packets in the device, this mechanism provides prioritizing of traffic in high CPU utilization situations so that the security device allows critical traffic such as management traffic and drops noncritical traffic. For this mechanism to function, you configure a utilization threshold on the CPU. During a high-utilization situation, this mechanism compares the current CPU utilization with the threshold value
you have set, and then prioritizes the critical traffic. This can cause the security device to drop noncritical traffic.
Protocol Class
Type
TELNET—device management
SSH—device management
HTTP/HTTPS—device management
BGP—routing protocol updates
OSPF—routing protocol updates
RIP—routing protocol updates
RIPNG—routing protocol updates
PIM—multicast routing protocol updates
NSRP—NSRP updates
IKE/VPN Monitor—tunnel setup and VPN Monitor packets
ARP—ARP responses, so that the device can move the session to hardware
RADIUS—authentication protocol
LDAP—authentication protocol
SNMP/SNMP traps—SNMP updates
NSM—communication with Network and Security Manager
TFTP—Trivial File Transfer Protocol
ICMP—Internet Control Message Protocol 1
Critical
Broadcast 2
Noncritical
Non-first packet 3
First packet 4
Other 5
WebUI
Configuration > CPU Protection > General Settings: Enter the CPU Protection Threshold, then click Apply:
CLI
set cpu-protection threshold number save
Chapter 3: Denial of Service Attack Defenses
The following table shows the traffic statistics of the get cpu-protection command when the threshold is set to 70 percent.
Current usage: 80% High CPU threshold: 70%
Passed Dropped
Traffic Class
16 0
Critical 1
6 3
ICMP/BC/ARP 2
7 0
Non-first 3
3 0
First 4
2 1
Other 5