Denial Of Service protection utilizing a Palo Alto firewall

Current Landscape

As we have seen lately with the Dyn DNS DDoS attack and related attacks on the core internet, protecting your infrastructure has never been more critical. Utilizing robust DDoS mitigation strategies such as packet scrubbing/DDoS protection services such as Cloudflare or Akamai will ultimately give you the resilience you need for a large scale attack, there are methods to mitigate smaller attacks using a firewall. Although a firewall cannot prevent an outright DDoS attack, it can mitigate smaller more targeted DoS attacks.

In this discussion, I will illustrate a straightforward method and configuration to provide some resilience using Palo Alto firewalls.

What is  DoS attack?

A Denial of Service (DoS) attack is an attempt to disrupt network services by overloading the network with unwanted traffic. Utilizing a Palo Alto firewall, PAN-OS DoS protection features protect your firewall and in turn your network resources and devices from being exhausted or overwhelmed in the event of network floods, host sweeps, port scans and packet based attacks. The DoS protection features provide flexibility by varying the granularity of protection and provide usability through a variety of options that cover most of the attacks in the current DoS landscape.

I won't go into the nuances of UDP and TCP floods, but rather dive right in and illustrate a configuration that has been tested against a garden-variety targeted DoS attack.

Configuration of a Zone Protection Profile

Create a zone protection profile using the Network->Network Profiles->Zone Protection tab. Here you can select the type of protection like Flood protection, Reconnaissance or packet-based attack.

Recommended: Check all the boxes and put limits for each type of traffic. Block ALL reconnaissance protection.

After that apply this zone protection profile to a source zone (i.e. the zone from which the traffic is coming in to the firewall).

Recommended:  The source zone will most likely be the Untrusted or ingress zone. This can take the form of an F5 or simple edge router. You can apply a ZPP to multiple interfaces (zones).

Configuration of a DoS Profile

The DoS protection rule base allows firewall administrators to configure granular policies for DoS mitigation. DoS protection policies can be configured to match zone, interface, IP address or user information as match conditions for mitigating DoS attacks. Zone protection profiles are designed to provide broad-based protection at the ingress zone and are not designed to protect a specific end host or traffic going to a particular destination zone. DoS protection profiles are designed for high precision targeting and augment zone protection profiles by allowing to create DoS rules similar to Security policies that allow traffic to and from certain zones, to and from certain addresses or address groups, or from certain users and for certain services to be analyzed for DoS attacks.

A DoS Protection profile can be attached to a DoS policy rule When a DoS rule is matched, the parameters of the DoS profile are enforced on the traffic. A DoS protection profile can be attached as an aggregate or a classified profile in a DoS rule.

NOTE: In this example, we will demonstrate utilizing an aggregate rule which applies DoS protection to all traffic hitting a policy. Classified is grouping of hosts that may require a special policy just for them. Both act in the same fashion in regards to blocking the traffic but classified can provide more specific and fine-tuning for certain assets.

Create a DoS rule similar to security rule. Most parameters are similar to security rules in terms of zones and addresses and are used in a similar manner. Attach an aggregate profile or a classified profile or both to the rule. The 'action' keyword in the rule means the following:
Deny: All traffic hitting this DoS rule is denied.
Allow: All traffic hitting this DoS rule allowed.
Protect: All traffic hitting this DoS rule is checked for rate limits specified by the Aggregate and Classified profiles.

Recommended:  Given we intend to stop DoS traffic, use Deny or Protect. Deny will not reference the protection policy, while Protect will check against the policy. Deny uses less resources on the management plane as the logging is less detail. The data plane is minimized (slightly less) due to the rule processing is decreased.

Final Word

Ultimately, testing of any policy is a best measure of correct configuration(s). I recommend 3rd party testing services such as Nimbus DDoS Testing to provide real-world testing and measurement of your policies.