DoS protection

Denial of Service (DoS) attacks work by consuming network and system resources, making them unavailable for legitimate network applications. Network flooding attacks, malformed packets, and port scans are examples of such DoS attacks.

The aim of AA FW DoS protection is to protect subscribers and prevent any abuse of network resources.

Using AA FW stateful session filters, operators can protect their subscribers from any port scan scheme by configuring the session filters to disallow any traffic that is initiated from the network.

Furthermore, AA ISA provides configurable flow policers. These policers, when configured, prevent all sorts of flooding attacks (for example, ICMP PING flooding, UDP flooding, SYN Flood Attack). These policers provide protection at multiple levels; per system per application/application groups and per subscriber per applications/applications groups. AA ISA flow policers has two flavors; flow setup rate policers and flow count policers. Flow setup rate policers limit the number of new flows, while flow count policers limit the total number of active flows.

To protect hosts and network resources, AA_FW validates/checks the following parameters, if any fails, it declares the packet to be invalid (/Errored):

• IP layer validation:

  • IP version is not 4 nor 6

  • checksum error (IPv4)

  • header length check

  • packet length check

  • TTL/Hop limit (not equal to zero) check

  • fragment offset check (teardrop and ping of death protection)

• class D/E (>=224.0.0.0)

• broadcast 255.255.255.255 (multicast source address)

• 127.x.x.x (invalid source address)

• invalid subnet (subnet, 0) [unless /31 point-to-point interface]

• invalid subnet multicast (subnet, -1) unless /31 point-to-point interface

• IPv4 destination address checks:

  • broadcast 255.255.255.255, 0.x.x.x,127.x.x.x

• IPv6_source address checks:

  • multicast source address (FFxx:xxxx:……:xxxx)

• IPv6_destination address checks:

  • invalid destination address (=::)

• TCP/UDP validation:

  • header checksum

  • source or destination ports (not equal to zero) check

    (only dest port is checked for UDP)

  • invalid TCP flags

    • TCP FIN Only (only the FIN flag set)

    • TCP No Flags (no flags are set)

    • TCP FIN RST (both FIN and RST are set)

    • TCP SYN URG (both SYN and URG are set)

    • TCP SYN RST (both SYN and RST are set)

    • TCP SYN FIN (both SYN and FIN are set)

  • validates that the first packet of a TCP flow does not contain RST or FIN flags

The above complements ESM enhanced security features, such as IP (or mac) anti-spoofing protection (for example, protecting against ‟LAND attack”) and network protocols DoS protections. The combination provides a world class carrier grade FW function.