- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How can I configure the SonicWall to mitigate DDoS attacks?
10/14/2021 
354 People found this article helpful
58,326 Views
Description
A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. There are three types of DDoS attacks. Layer 3,Layer 4 DDoS attacks and Layer 7 DDoS attack.
Layer 3 / 4 DDoS attacks
The majority of DDoS attacks focus on targeting the Transport and Network Layers of the OSI Model. These types of attacks are usually comprised of volumetric floods that aim to overwhelm the target devices, denying or consuming resources until they're unreachable. In these types of DDoS attacks, malicious traffic (TCP / UDP) is used to flood the victim.
Layer 7 DDoS attacks
Application-layer DDoS attacks are some of the most difficult attacks to mitigate against because they mimic human behavior as they interact with the user interface. A sophisticated Layer 7 DDoS attack may target specific areas of a website, making it even more difficult to separate from normal traffic.
Resolution
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
CAUTION: Please be aware that mitigating DDoS Attacks at the Firewall level is far less effective than at the ISP level. Once packets have made it to the Firewall, typically the network edge device, they're going to overwhelm your network such that it will be hard for traffic to get in or out. Mitigating DDoS at the firewall level will allow you to preserve and protect internal resources so that internal users may still be able to function and sensitive information isn't compromised.
DDoS Protection Checklist
In order to help harden your network against DDoS Attacks at the firewall level, please follow the below steps. These are presented in no particular order.
Enable Intrusion Prevention
- Click on MANAGE , navigate to Security Services | IPS. Ensure that your settings mirror the screenshot below.
NOTE: To enforce SonicWall IPS not only between each Network Zone and the WAN, but also between internal zones, you should also apply SonicWall IPS to zones on the Network | Zones Page .
Block unused Ports from the WAN to the Internal Network
- Navigate to Rules | Access Rules.
- Check the WAN to LAN, WAN to DMZ, WAN to WLAN, and WAN to any Custom Zones access rules.
- Ensure that any Allow rules are specified by Service (Port) as well as Source IP if possible.
Enable Flood Protection
- Navigate to Firewall Settings | Flood Protection.
- Enable UDP Flood Protection and ICMP Flood Protection.
- Set TCP Flood Protection to Proxy WAN Client Connections when attack is suspected.
CAUTION: Proxy WAN Connections will cause External Users who trigger the Flood Protection feature to be blocked from connecting to internal resources. If there is a chance any Users can generate a false positive for this feature it is recommended to leave TCP Flood Protection in Watch and Report mode.
Enable Geo-IP Filter and Botnet Filter
Many DDoS attacks occur when infected machines under the control of a few individuals are all directed at one target. Often these attacks come from certain Countries and do not have their IP Addresses obfuscated. By using the Geo-IP Filter and Botnet Filter on the SonicWall it is possible to drop these packets as they attempt to enter your network which can aid the SonicWall in keeping your network reachable.
- Navigate to Security Services | Geo-IP Filter.
- Enable both Block connections to/from countries selected in the Countries tab .
- Select the countries you'd like to block from the table provided under Countries tab, you can Drag and Drop the countries name to move them under the Selected Country List.
- Click Accept at the bottom. CAUTION:This feature will block Outbound Connections to any device that has a Public IP Address associated with the selected country. If you'd like to setup Geo-IP Filter for a more granular block please reference How to configure SonicWall Geo-IP Filter using Firewall Access Rules.
NOTE: Botnet IP addresses are maintained by SonicWall for internal use. If you'd like to test a Domain/IP for possibly being flagged as a Botnet, navigate to Security Services | Botnet Filter | Diagnostics and enter the desired IP Address in the Lookup ID Tool. CAUTION:This feature will block Outbound Connections to any device that has a Public IP Address associated with the selected country. If you'd like to setup Geo-IP Filter for a more granular block please reference How to configure Botnet Filtering with Firewall Access Rules.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
CAUTION: Please be aware that mitigating DDoS Attacks at the Firewall level is far less effective than at the ISP level. Once packets have made it to the Firewall, typically the network edge device, they're going to overwhelm your network such that it will be hard for traffic to get in or out. Mitigating DDoS at the Firewall level will allow you to preserve and protect internal resources so that internal Users may still be able to function and sensitive information isn't compromised.
DDoS Protection Checklist
In order to help harden your network against DDoS Attacks at the firewall level, please follow the below steps. These are presented in no particular order.
Enable Intrusion Prevention
- Navigate to Security Services | IPS. Ensure that your settings mirror the screenshot below.
NOTE: To enforce SonicWall IPS not only between each Network Zone and the WAN, but also between internal Zones, you should also apply SonicWall IPS to Zones on the Network | Zones Page .
Block unused Ports from the WAN to the Internal Network
- Navigate to Firewall | Access Rules.
- Check the WAN to LAN, WAN to DMZ, WAN to WLAN, and WAN to any Custom Zones access rules.
- Ensure that any Allow rules are specified by Service (Port) as well as Source IP if possible.
Enable Flood Protection
- Navigate to Firewall Settings | Flood Protection.
- Enable UDP Flood Protection and ICMP Flood Protection.
- Set TCP Flood Protection to Proxy WAN Client Connections when attack is suspected. CAUTION: Proxy WAN Connections will cause External Users who trigger the Flood Protection feature to be blocked from connecting to internal resources. If there is a chance any Users can generate a false positive for this feature it is recommended to leave TCP Flood Protection in Watch and Report mode.
Enable Geo-IP Filter and Botnet Filter
Many DDoS attacks occur when infected machines under the control of a few individuals are all directed at one target. Often these attacks come from certain Countries and do not have their IP Addresses obfuscated. By using the Geo-IP Filter and Botnet Filter on the SonicWall it is possible to drop these packets as they attempt to enter your network which can aid the SonicWall in keeping your network reachable.
- Navigate to Security Services | Geo-IP Filter.
- Enable both Block connections to/from countries listed in the table below and Enable Logging.
- Select the countries you'd like to block from the table provided. CAUTION: This feature will block Outbound Connections to any device that has a Public IP Address associated with the selected country. If you'd like to setup Geo-IP Filter for a more granular block please reference How to configure SonicWall Geo-IP Filter using Firewall Access Rules.
- Navigate to Security Services | Botnet Filter.
- Enable both Block connections to/from Botnet Command and Control Servers and Enable Logging. NOTE: Botnet IP Addresses are maintained by SonicWall for internal use. If you'd like to test a Domain/IP for possibly being flagged as a Botnet, go to Security Services | Botnet Filter | Diagnostics and enter the desired IP address in the Lookup ID Tool. CAUTION: This feature will block Outbound Connections to any device that has a Public IP Address associated with the selected country. If you'd like to setup Geo-IP Filter for a more granular block please reference How to configure Botnet Filtering with Firewall Access Rules.
Related Articles
- Supported Public Cloud Servers/Instance Sizes on SonicWall NSv Series Models
- Why do I need a Support Services Reinstatement?
- How can I configure a VPN between a SonicWall firewall and Microsoft Azure?
Categories
- Firewalls > NSa Series > Networking
- Firewalls > NSv Series > Networking
- Firewalls > TZ Series > Networking
YES
NO