The Attacks Database contains attacks provided by Check Point. You can add user-defined attacks to reflect specific needs of your network, or edit the existing attacks.
The Signature Protection Static Attack Configuration window enables you to edit existing attack parameters.
To edit a static attack
1. Select DDoS Protector > DoS Signatures > Attacks > Static. 2. Select a static attack.
3. Configure the parameters, and click Set.
DDoS Protector Web Based Management User Guide | 43
Parameter Description
ID (Read-only) The unique identifying number.
Attack Name (Read-only) The name for this attack. The Attack Name is used when DoS Shield sends information about attack status changes.
Filter Name (Read-only) The filter assigned to this attack.
Tracking Time The time, in milliseconds, in which the Threshold is measured. When a number of packets that is greater than the threshold value passes through the device, during this defined period, the device recognizes it as an attack.
Value: 1000
Tracking Type Specifies how the protection determines which traffic to block or drop when under attack.
Values:
Drop All—Select this option when each packet of the defined attack is harmful, for example, Code Red and Nimda attacks.
Source Count—Select this option when the defined attack is source- based—that is, the attack can be recognized by its source address, for example, a Horizontal Port Scan, where the hacker scans a certain application port (TCP or UDP) to detect which servers are available in the network.
Target Count—Select this option when the defined attack is destination- based, meaning the hacker is attacking a specific destination such as a Web server, for example, Ping Flood and DDoS attacks.
Source and Destination Count—Select this option when the attack type is a source and destination-based attack—that is, the hacker is attacking from a specific source IP to a specific destination IP address, for example, Port Scan attacks.
landattack fragments ncpsdcan dhcp ftpbounce bobo2K
Sampling—Select this option when the defined attack is based on sampling, that is, a DoS Shield attack.
Action Mode The action that the protection takes when an attack is detected. Values:
Report Only—The packet is forwarded to the defined destination. Drop—The packet is discarded.
Reset Source—Sends a TCP-Reset packet to the packet Source IP. Reset Destination—Sends a TCP-Reset packet to the destination address. Reset BiDirectional—Sends a TCP reset packet to both, the packet source
IP and the packet destination IP.
MM7—If the packet contains a threat, the device drops the message and sends an application-level error message to the server to remove the message from the queue to prevent a re-transmission. It contains Transaction ID, Content Length, and Message ID.
State Enables or disables the Attack Status.
There are cases where you may need to temporarily disable an attack from a static group. For example, if you suspect that a certain attack introduces false positives, and you would like to disable that specific attack only.
Setting the attack status to Disable, means that the attack is disabled but not removed from the group.
Direction A certain protection policy may contain attacks that should be searched only for traffic from client to server or only on traffic from server to client.
To provide simple and efficient scanning configuration you can set per attack the traffic direction for which it is relevant.
Values:
Inbound—On traffic from policy Source to policy Destination Outbound—On traffic from policy Destination to policy Source
In-Out Bound—On all traffic between policy Source to policy Destination Suspend Action This functionality allows the user to define that for certain attacks, in addition to
the action defined in the attack, the device should also suspend traffic from the IP address that was the source of the attack, for a period of time.
Values:
None—Suspend action is disabled for this attack.
SrcIP—All traffic from the IP address identified as source of this attack will be suspended.
SrcIP, DestIP—Traffic from the IP address identified as source of this attack to the destination IP under attack will be suspended.
SrcIP, DestPort—Traffic from the IP address identified as source of this attack to the application (destination port) under attack will be suspended. SrcIP, DestIP, DestPort—Traffic from the IP address identified as source
of this attack to the destination IP and port under attack will be suspended. SrcIP, DestIP, SrcPort, DestPort—Traffic from the IP address and port
identified as source of this attack to the destination IP and port under attack will be suspended.
DDoS Protector Web Based Management User Guide | 45 Active Threshold When this threshold is exceeded, the status of the attack is changed to
Currently Active. This is only relevant when the Attack Status was configured as Dormant.
The maximum number of attack packets allowed in each Tracking Time unit. Attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period.
When the value for Tracking Type is Drop All, the protection ignores this parameter.
Exclude Src The source IP address or network whose packets the protection does not inspect.
Drop Threshold After an attack has been detected, the device starts dropping excessive traffic only when this threshold is reached. This parameter is measured in PPS. When the value for Tracking Type is Drop All, the protection ignores this parameter.
Exclude Dest The destination IP address or network whose packets the protection does not inspect.
Term Threshold When the attack PPS rate drops below this threshold, the protection changes the attack from active mode to inactive mode.
When the value for Tracking Type is Drop All, the protection ignores this parameter.
Packet Trace Specifies whether the protection sends attack packets to the specified physical port.