Sophos Firewall - extremely poor bandwidth when DoS enabled

Hi,

please disable TCP setting and try again.

Ian

Thanks, that worked. But now I need to look up what that exactly is and whether it's needed....

Hi,

no, you don't need TCP DDOS for home use. I have mine permanently disabled along with most of the other items because my security cameras break the other items. Though I must try them again after the last IPS update.

Ian

Good to know. My setup is only temporary. I have Unifi equipment for home use but I'm testing this Sophos router so I know how to configure basic firewall and NAT settings, IPS, DoS, and a site-to-site VPN to an AWS VPC. We also plan on using the WAF feature but I don't have the resources at home to test that -- no biggie. I also want to set up VPN but need to look up which is the best way to do it in 2021 (I'm guessing SSL VPN ??). I know PPTP is out of the question. We will be using the Sophos Firewall at our data center for production use in the coming months. I just wish I could have more than a measly 30-day eval on this thing. Seems way too little. Really appreciate your time, I believe you were also helping me with the NIC compatibility recently  So, when we have this in production mode at our data center (for business use), will we also need to disable TCP settings?

Hi,

that question I cannot answer, you would need to ask your reseller or even one of the Sophos forum support team might chime in.

There are settings that can be fine tuned if you find you need the TCP DDOS function.

There is always the options of a home user licence for what you are experimenting with, though that will require a rebuild.

Ian

Thanks. Do you know of any settings to fine tune the three existing settings I have enabled? (SYN flood, UDP flood, and ICMP/ICMPv6 flood). I ended up disabling all DoS settings since I could easily notice lag/latency. Google maps for example, when I zoom in/out, it takes seconds to refresh vs instant like usual. Same with random websites. I'll notice some images don't load and I have to refresh once or twice. When I turn off those three settings, everything is snappy again. I can't imagine this behavior being acceptable in a production biz environment. In Control Center --> CPU & Memory, my "CPU" hasn't gone above 3% since I installed the firewall, and "Memory" is at a steady 50%, so I can't imagine it's hardware related. 

Why do you want to enable DOS in the first place? 

Personally i am not a fan of this settings. Most OS (if not all) can handle such attacks easily in the stacks. Nobody is attacking you with flood attacks nowadays (from a single client). They launch there bot net and therefore the flood protection cannot stop them. 

I am expecting no benefits of DOS protection on a single client level on a firewall nowadays. The reason is, if the want to bring you down, they are doing this anyway. A client on WAN can do this with this settings or without. They pump the connection with packets, which the firewall cannot stop as the packets are incoming. 

Thanks for your input, @Lucar Toni. The answer is because a potential client, a very well known global name brand, has provided us with a vendor assessment questionnaire... a very looooong and detailed questionnaire. One of the questions was "Does your organization utilize a product or service to prevent DoS/DDoS attacks?". We answered no, because we do not.

Months prior to this questionnaire, we were offered (solicited) a firewall upgrade from our hosted data center but declined. After the questionnaire, I remembered some of the features the Sophos firewall boasted, so we went back to the data center and opted in for it. You mentioned "a single client" twice -- are you referring to my computer? I know no one is attacking me, being one lone anonymous 'puter user on a residential IP. Not sure if you read the part where I'm just testing this out so I'm familiar with the configuration/GUI when we deploy this at our data center with 25+ servers behind the Sophos.

So are you saying the DoS stuff is useless / fruitless? Do other successful businesses not use DoS services anymore, or do they use a dedicated service/appliance just for DoS? Is this DoS feature on the Sophos firewall just so it can be listed as another feature, making the feature list longer and more appealing, when in fact it is just there for looks? Is it as about as useful as the WINS section in my DHCP configuration? Please excuse my ignorance, I just don't know enough about it and I'm confused by your answer basically asking me why I want to use a listed feature on the firewall in the first place.

More reasons I'm using the Sophos firewall are the boasted IPS and WAF features -- two more questions that were in the vendor assessment questionnaire we had to say "no" to. We are also planning on having ~12 servers with Sophos Central Intercept X Advanced for Server with EDR "talking" to the Sophos Firewall, and also utilizing the VPN feature with about ~25 clients connected daily. I am hoping the Sophos Firewall can handle this...

Check for the current state of attacks. DOS and DDOS are different things. DOS is most likely to attack a service to kill it / shut it down, by using vulnerabilities (like a known bug in the TCP/IP Stack etc.). DDOS is most likely the same kind of approach, just from different clients at the same time. DDOS is likely to be known by botnets, which attack a machine and bringing it down by using the pure power of load to the system. But DOS is more likely sending "one packet, which kills the service". You can read about the differences on wikipedia: https://en.wikipedia.org/wiki/Denial-of-service_attack

Now lets look at those approaches: The XG (or any kind of firewall product) could start to protect against DDOS. But The load will come to the firewall anyway. Think about 1000 clients, bombing you with requests at the same time. The firewall can start to block them, but they still arrive on the interface. 

Most customer of bigger or smaller scale use the ISP to protect against such DDOS attacks. Because the ISP on there backbone can actually detect and stop such requests in a quicker way. You maybe heard about services, getting bombed by those attacks but cannot keep the service up. This is because it is very complicated to protect against such bot net attacks. 

The DOS protection against a single host works as expected but such attacks are rare and not viable for a attacker. They know, most products block this anyway and they know, they can maybe not generate enough traffic to bring the service down. Therefore they rent cheap botnets for some hours and bomb those ISP connections. 

The firewall with IPS and other techniques is fighting the other DOS techniques, you find on wikipedia. Just the load part is hard to deal with. You can configure DOS, but my point is, it is hard to find the correct number, you have to use, while not interrupting with your work load. That is one reason, most customer actually do not use this kind of protection anymore.  See Wikipedia as well on the blocking part. 

Maybe just another addition: Most customer should know there expected numbers of DDOS Protection. But they likely have no real insights, which makes this option hard to deal with. If you experience issues with the pre definied numbers, increase them until you do not see any issues anymore and get the approval from the customer.