This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Find source and destination of TCP and UDP DOS floods

I enabled DOS Protection and since then every minute sophos is droping some TCP traffic and sometimes UDP, I'm sure Im not getting attacked and just need to add a DOS bypass rule. My question is where in Sophos XG v18 can in find the Source and destination details of traffic that has been dropped because of the DOS protection. FYI, I've never used a firewall before and my first one is this so sorry it its a basic question. I can see logs and current activity and sure there must be some way to filter it to find this but not sure how. 



This thread was automatically locked due to age.
Parents
  • Hi  

    from Intrusion Prevention >> DoS Attacks

    DoS attack status allows you to see if traffic limits have been applied and the amount of data dropped after the limit has been exceeded. The firewall applies the traffic limits specified in DoS settings and logs the corresponding events. Data is available for the source and destination in real-time.

    • To view the attack details, click an attack type.
    • When you click on attack type, it will pop up a window and will provide flooder IP if the system detects it.

    For Configuration and in-depth details, I would recommend you to check the article - https://community.sophos.com/kb/en-us/123182

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi Keyur,

    Thanks for the quick reply, that will definitely help with UDP.

    For TCP Flood i noticed that in your picture and also on my firewall that the hyperlink to view the details is not available. Is there anything for the TCP Flood side?

  • Hi  

    SYN/TCP Flood: A SYN flood is when a host sends a flood of TCP/SYN packets, often with a forged sender address. Every packet is handled like a connection request; this causes the server to spawn a half-open connection because it sends back a TCP/SYN-ACK packet (Acknowledge) and waits for a packet in response from the sender address (the response to the ACK Packet). However, as the sender's address is forged, the response never comes. These half-open connections occupy the number of available connections the server is able to make and keep it from responding to legitimate requests until after the attack ends.

    If any IP detects under flooding will be visible under SYN flood as TCP and SYN are part of the same mechanism, moreover, we do not recommend to apply TCP flood until it specifically required and directed by the support, I will try to collect further info on TCP flood tab and share with you if there is a different behavior.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Thanks Keyur, will disable the TCP flood for now and monitor the UDP with the method you mention, appreciate your help

Reply Children
  • Hi  

    Please reach out to us if you need further assistance. We will glad to assist you further.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Can i view more detailed information in the Logfiles? which logs would that be? i did not find anything about DoS yet.

  • You are able to see the drops live in drop packet capture.

    (drppkt on Advanced shell, or drop-packet-capture on console). 

    __________________________________________________________________________________________________________________

  • and if i want to see historic drops from a few day or hours ago?

  • Thats not possible in the historic way. At least in such detailed way. 

    __________________________________________________________________________________________________________________

  • Correct me if i am wrong but on UTM it used to be visible right?
    I would like to see ip src and dst as well as ports for troubleshooting and fine-tuning protection

  • Thats correct. 

    You could easily create such a report by yourself, if you need the data for some reasons. 

     

    use # drppkt | grep -i dos > /tmp/dos.log & 

    This will forward all traffic dropped by dos protection directly to the log. 

    Kill the command with ps | grep drppkt  --> kill -9 processID

     

     

    Personally i am not a big fan of DDOS Flood protection, as they cause more issues than actually stop anything. Most systems nowadays have protections against Flood attacks within the tcp/ip stack.

    __________________________________________________________________________________________________________________