Sophos Firewall - extremely poor bandwidth when DoS enabled

Hello,

I just set up a new Sophos Firewall on my Dell XPS tower (testing). It was all working nice, I was getting about 230 Mbps bandwidth from fast.com. Then I enabled DoS from Intrusion Prevention --> DoS & spoof protection [tab] --> DoS settings. I clicked the checkbox for SYN flood, UDP flood, TCP flood, and ICMP/ICMPv6 flood. Then my bandwidth went to crap. The max download speeds I get are ~9 Mbps. Ammm.... I missing something? I even tried setting my WAN port to 1000 Mbps - Full Duplex. Advanced Threat Protection is also disabled.

I'm using firmware SFOS 18.5.1 MR-1-Build326 (updated from the initial build I downloaded (SFOS 18.0.5 MR-5-Build586).

I found this page but it's a little outdated so the instructions aren't the same as my GUI, plus the discussion has been locked: https://community.sophos.com/sophos-xg-firewall/f/discussions/95693/extremy-slow-internet-speed.



Edited TAGs
[edited by: emmosophos at 6:37 PM (GMT -7) on 23 Aug 2021]
Parents
  • Well, we got a quote from our ISP for them to do DoS for us -- even though we originally went with the Sophos because it boasted DoS capabilities --- $3200 a month they want. Does anyone know if this is normal? That sounds expensive to me. Also, does anyone know what layer of DoS the Sophos provides? I never got a reply on this thread. Additionally, when setting up this Sophos, the person helping deploy it said I should have checked the "Apply Flag" checkboxes under the DESTINATION section, not SOURCE (in my original screenshot of my test DoS settings). Thoughts?

  • I cannot comment on the pricing, i can only reference to the points, i already made in other subjects. DDOS attackes, which are caused by "Load" are hard to protect on a device level. 

    So if the provider is giving you a actual prevention of "to many packets will arrive your interface" thats a true DDOS prevention. Because the provider is the only part in this segment, which actually can deal with dynamic routing and multiple backend systems such attacks. 

    If a attack launches multiple zombies to flood your interface, the firewall cannot stop this at all. 

    So no matter what you do on the firewall level, a true attack on you as a company in case of "load" is not be able to stop on a firewall protect. It will overload the interface stack, which cannot deal with this at all. See bigger companies getting floaded by DDOS. 

    The question is: Did you already receive such a attack? What was the impact and the lost of your company. Did you had a recovery plan for this? (Second WAN to offload to other WAN ports etc.). 

    I would recommend to check your options and how likely such a attack is to happen and what this will eventually cost, if you WAN is down for 1 hour, 8 hours etc. Because likely bot nets are not there "forever". So a DDOS Attack will not occur for weeks. 

    And as a last part: SD-WAN in SFOS will be improved by latency and other techniques, which could actually see such attacks to happen on your main WAN Port and automatically failover to other WAN ports, which are not publicly known. So if you have a cheap backup WAN, which does not offer services, likely, this WAN interface is not known for the attack and could be used while they flood your primary interface. 

    __________________________________________________________________________________________________________________

Reply
  • I cannot comment on the pricing, i can only reference to the points, i already made in other subjects. DDOS attackes, which are caused by "Load" are hard to protect on a device level. 

    So if the provider is giving you a actual prevention of "to many packets will arrive your interface" thats a true DDOS prevention. Because the provider is the only part in this segment, which actually can deal with dynamic routing and multiple backend systems such attacks. 

    If a attack launches multiple zombies to flood your interface, the firewall cannot stop this at all. 

    So no matter what you do on the firewall level, a true attack on you as a company in case of "load" is not be able to stop on a firewall protect. It will overload the interface stack, which cannot deal with this at all. See bigger companies getting floaded by DDOS. 

    The question is: Did you already receive such a attack? What was the impact and the lost of your company. Did you had a recovery plan for this? (Second WAN to offload to other WAN ports etc.). 

    I would recommend to check your options and how likely such a attack is to happen and what this will eventually cost, if you WAN is down for 1 hour, 8 hours etc. Because likely bot nets are not there "forever". So a DDOS Attack will not occur for weeks. 

    And as a last part: SD-WAN in SFOS will be improved by latency and other techniques, which could actually see such attacks to happen on your main WAN Port and automatically failover to other WAN ports, which are not publicly known. So if you have a cheap backup WAN, which does not offer services, likely, this WAN interface is not known for the attack and could be used while they flood your primary interface. 

    __________________________________________________________________________________________________________________

Children
No Data