CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E


Results 1 to 2 of 2

Thread: How do you tell if there is a DOS attack on Firewall

  1. #1
    Join Date
    Rep Power

    Default How do you tell if there is a DOS attack on Firewall

    Hi All

    In a nutshell, what are the best stats to look at on the firewall if you are receiving some sort of DOS attack, such as syn floods etc?

    Would you see an excessive number of new connections? what things would you normally look at ?


  2. #2
    Join Date
    DFW, TX
    Rep Power

    Default Re: How do you tell if there is a DOS attack on Firewall

    There are a few different kinds of attacks: volumetric, where all of the time slots on a given link are consumed by junk traffic; boring attacks such as SYN floods which take advantage of foundational protocol issues; and interesting attacks, which take advantage of software bugs to, e.g., crash the daemon handling a given connection.

    Volumetric attacks show as transfer rates hitting the limitations of your interfaces. You can calculate this with output from ifconfig, or you can use a tool like cpview (Network.Interfaces.Traffic) to do it for you.

    Boring attacks tend to hit the connections table. SYN floods from spoofed sources leave large numbers of half-open connections in the firewall's table, and potentially in the tables of the internal device (server or load balancer) which hosts the service. If you have dynamic connections table sizing, that generally isn't a problem, and the limit becomes the RAM. A DoS would still show as a large volume of connections. You can view this with 'fw tab -t connections -s' on normal firewalls or 'vsx stat -l' on VSX firewalls.

    More interesting attacks may hit IPS, which would drive up processor usage. cpview could help you see this, and if the "Bypass Under Load" functionality is enabled, the firewall logs when it is tripped. Interesting attacks which the firewall doesn't catch (for example, over HTTPS when you don't have HTTPS inspection; IPS can't see these) would not show up as anything abnormal on the firewall because it isn't the part of the infrastructure which is tipping over.

    I generally dump the logs using SmartLog, then process them with a script I wrote. This script finds the columns I care about (SmartLog exports them in a semi-random order each time, so I can't rely on column number between files), and brings just the data from those columns into a new table. I then analyze the data to build a few graphs showing things like connection rate over time. This helps prove volumetric and boring attacks.

Similar Threads

  1. How to detect DDoS attack happen on my UTM-1 574 firewall ?
    By rockcp32 in forum Check Point UTM-1 Appliances
    Replies: 2
    Last Post: 2012-04-10, 23:36
  2. TCP Syn Attack
    By lassaad.toukabri in forum VPN-1 VSX
    Replies: 0
    Last Post: 2011-11-03, 04:07
  3. SQL Injection Attack - How to stop it at the R65 firewall?
    By Spacetrucker in forum IPS Blade (Formerly SmartDefense)
    Replies: 23
    Last Post: 2009-10-14, 11:45
  4. What is this attack in SD
    By nzkiwi in forum IPS Blade (Formerly SmartDefense)
    Replies: 2
    Last Post: 2008-02-21, 19:21
  5. Connection Attack
    By switzer in forum Miscellaneous
    Replies: 1
    Last Post: 2007-11-05, 13:23


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts