Kemarin mendapat telepon dari kawan di salah satu pemkab yang mengelola server LPSE, salah satu kendala mereka adalah untuk menjaga server aman dari serangan flood (flood attacks), salah satu solusi yang kami tawarkan adalah menggunakan firewall UTM Watchguard, berikut keterangan teknisnya.
About flood attacks
In a flood attack, attackers send a very high volume of traffic to a system so it cannot examine and allow permitted network traffic. For example, an ICMP flood attack occurs when a system receives sufficient ICMP ping commands that it uses all of its resources to send reply commands. The WatchGuard device can protect against these types of flood attacks:
- IPSec flood attacks
- IKE flood attacks
- ICMP flood attacks
- SYN flood attacks
- UDP flood attacks
Flood attacks are also known as Denial of Service (DoS) attacks.
The default configuration of the WatchGuard device is to block flood attacks. To disable or reenable this feature, or to change the maximum allowed number of packets each second:
- From Policy Manager,click
.
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
- Select or clear the check boxes for the flood attacks you want to prevent.
You then use the arrows to select the maximum allowed number of packets per second for each source IP address. If the setting is, for example, 1000, this means that the WatchGuard device blocks a source if it receives more than 1000 packets per second from that source.
About the SYN flood attack setting
For SYN flood attacks, you set the threshold for the WatchGuard device to report that a SYN flood attack may be taking place. But, no packets are dropped if only that number of packets is received. At twice the threshold, all SYN packets are dropped. At any level between the threshold you define and twice that level, if a packet's src_IP, dst_IP, and total_length are the same as the previous packet received, then it will always be dropped; otherwise 25 percent of the new packets received are dropped.
For example, suppose you define the threshold at 18 packets per second. When you receive that amount, the WatchGuard device warns you that a SYN flood attack may be taking place but it drops no packets. If you receive 20 packets per second, the device drops 25% of the packets (5 packets). If you receive 36 or more, the last 18 or more packets are dropped.
