CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: Firewall rate-limiting and penalty box experiences

  1. #1
    Join Date
    2008-04-23
    Location
    Germany
    Posts
    21
    Rep Power
    0

    Default Firewall rate-limiting and penalty box experiences

    I'm running an active/passive cluster of 2 Gaia R77.20 nodes with performance pack and found these rather new and apparently not very widespread features for coping with (D)DoS attacks.

    One is the rate-limiting feature described here:
    https://sc1.checkpoint.com/documents...dmin/96330.htm

    Another one is the "sim erdos" aka penalty box feature described here:
    https://supportcenter.checkpoint.com...tionid=sk74520

    Can anyone share their opinions and real-world experiences of using these features? The following document also provides some good general background info on these and other features:
    http://downloads.checkpoint.com/dc/d...d.htm?ID=35013


    I'm especially interested in the rate-limiting thing. A few weeks ago we had a short DDoS on one of our webservers, which was flooded with connections/requests from 50-100 IPs (not a bandwidth based DoS), resulting in the webserver reaching it's maximum apache process count and being unable to serve any requests. I saw a large number of connections to the webserver IP and resorted to manually blocking a couple of IPs with an extraordinary high number of open connections, which in the end was not very effective (we don't have IPS enabled btw, IPS is provided by other systems). It seems a per-IP (new) connection limit rule would have helped us out there tremendously.

    And no, at this stage I'm not interested in buying a dedicated DDoS protection appliance from Check Point.


    Besides these two there are also these optimized drops and accalerated NAT features which seems like an easy "enable and forget" function, is this true and does this work well with the above features too? I just can't help but wonder why Check Point hasn't enabled this by default if it seems so basic:
    https://supportcenter.checkpoint.com...tionid=sk90861
    https://supportcenter.checkpoint.com...tionid=sk71200

    We NAT a lot, but since my gateways aren't really under any heavy load, this isn't too useful at the moment. Though this might come in handy at some point later so I'm interested whether anyone is using this and their experience.

  2. #2
    Join Date
    2015-02-28
    Posts
    1
    Rep Power
    0

    Default Re: Firewall rate-limiting and penalty box experiences

    We have been using penalty box with R77.10 cluster. This was done after our cluster hit 100% cpu when someone decided to ddos us with udp/80 to one of our public IP address. All the traffic went through 600+ rules to the last drop rule.

    Before enabling penalty box we tried the drop templates recommended by checkpoint. Our tests showed that udp flooding would still hit 100% cpu easily. Enabling penalty box, the cpu utilisation was normal while still hitting the firewall with udp flood.

    Now we are running r77.30 and the penalty box logging is enabled but I can't find documentation where it should log the hosts in penalty box.

  3. #3
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    15

    Default Re: Firewall rate-limiting and penalty box experiences

    This is where a real web app firewall can make a difference.Controlling application DoS issues is trivial. I would never buy a DDoS appliance because there's no way it can handle a traffic flood unless you have far more bandwidth than most companies. That type of attack needs mitigated by a third-party or the ISP.

Similar Threads

  1. R76 Rate Limiting for DoS Mitigation
    By bhuraque in forum Firewall Blade
    Replies: 0
    Last Post: 2013-08-21, 07:28
  2. DOS(dDOS) , Connection limiting observing Smartdefense rules
    By vbavbalist in forum IPS Blade (Formerly SmartDefense)
    Replies: 2
    Last Post: 2010-04-02, 13:15
  3. Rate limiting email alerts?
    By EJSTL in forum SmartView Tracker
    Replies: 0
    Last Post: 2009-08-06, 17:40
  4. Replies: 1
    Last Post: 2007-06-19, 19:44
  5. rate limiting?
    By Jahk Nah Rai in forum Miscellaneous
    Replies: 1
    Last Post: 2006-01-08, 13:08

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •