This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Find source and destination of TCP and UDP DOS floods

I enabled DOS Protection and since then every minute sophos is droping some TCP traffic and sometimes UDP, I'm sure Im not getting attacked and just need to add a DOS bypass rule. My question is where in Sophos XG v18 can in find the Source and destination details of traffic that has been dropped because of the DOS protection. FYI, I've never used a firewall before and my first one is this so sorry it its a basic question. I can see logs and current activity and sure there must be some way to filter it to find this but not sure how. 



This thread was automatically locked due to age.
Parents Reply Children
  • and if i want to see historic drops from a few day or hours ago?

  • Thats not possible in the historic way. At least in such detailed way. 

    __________________________________________________________________________________________________________________

  • Correct me if i am wrong but on UTM it used to be visible right?
    I would like to see ip src and dst as well as ports for troubleshooting and fine-tuning protection

  • Thats correct. 

    You could easily create such a report by yourself, if you need the data for some reasons. 

     

    use # drppkt | grep -i dos > /tmp/dos.log & 

    This will forward all traffic dropped by dos protection directly to the log. 

    Kill the command with ps | grep drppkt  --> kill -9 processID

     

     

    Personally i am not a big fan of DDOS Flood protection, as they cause more issues than actually stop anything. Most systems nowadays have protections against Flood attacks within the tcp/ip stack.

    __________________________________________________________________________________________________________________