4 Replies Latest reply on Dec 7, 2016 5:01 AM by d_aloy

    Enable DOS Blocking after sensor DOS profiles changed to Detection




      I wonder, what is the good practice that we should implement on DOS attack upon sensor DOS profiles had learned the traffic and began Detection mode?

      Does anybody begin to enable DOS blocking on "DOS Learning Attack" category in IPS policy on Detection mode?

      So far, does the baseline traffic learned by sensor is accurate for you to begin prevent DOS blocking?


      Thank you.

        • 1. Re: Enable DOS Blocking after sensor DOS profiles changed to Detection

          Hi Dotax,


          It seems like you have a fresh installed sensor. You should start DoS learning before detecting the traffic. As I know there is no way to prevent DoS attacks from the baseline traffic learned by the sensor. Even if you enable DoS prevention on the inspection options policy sensor does not prevent DoS attack cause it does not have any DoS profiles.  It is a good practice to build a DoS Learning profile and start detecting DoS attacks when the learning is finished.


          • 2. Re: Enable DOS Blocking after sensor DOS profiles changed to Detection

            Hi Cem,


            I wonder, upon the learning was finished and DoS profiles was build. Is it safe to start allow DOS blocking on "Dos Learning" category signatures? Did you faced any false positive upon enable blocking on these signatures?

            • 3. Re: Enable DOS Blocking after sensor DOS profiles changed to Detection

              Hi Dotax,


              We have not faced any critical issue but you should consider your traffic behavior well before starting the learning. Try not to start it when you are having low volume of traffic (weekends, public holidays, etc.). Otherwise it can cause false positives or missed detections.


              Best Regards,

              • 4. Re: Enable DOS Blocking after sensor DOS profiles changed to Detection

                Hi Dotax


                It really depends on the traffic you are scanning. If you are inspecting a network that will constantly show the same level of traffic, the same protocols, etc (basically a static network), then you should be able to use the DoS learning feature without too many worries. I would suggest that once the sensor has completed the 48h learning period, you set the DoS sensitivity to low and check for any unexpected DoS alerts (you could see alerts generated when backup traffic traverses the network for example). If all is good, you can adjust the sensitivity to medium or high, depending on your needs. Also remember you can have alert only or alert an block - so you can really spend some time 'learning' how your network behaves before going into blocking mode.


                The other scenario is where you have an ever changing network - if your business is e-commerce for example, you may see traffic spikes during certain periods of time (think Xmas, Black Friday, etc). The IPS sensors will keep learning and building the DoS profiles, even if they are in detection mode - so they can adapt to different traffic patterns or traffic spikes. However it will really depend on the difference between the short term and long term profiles - and this will be ruled by how much more traffic you have during peak periods. I have seen the sensors working just fine on e-commerce/retail networks, even with increased network usage during peak periods.


                If in your case the traffic patterns differ so much that trigger the DoS Learning alerts, you could set the sensor into learning mode during the peak period, or another option here would be not to use the DoS learning signatures and work with connection limiting policies or DoS Threshold alerts to manage potential DoS attacks.


                At the end, it will really depend on the traffic you are scanning and how you want to use the feature - and if you want to block or not. A reasonable approach could be to build the DoS Learning profiles but only set the DoS learning feature into blocking mode when there is a confirmed DoS attack. You would have continuous visibility and detection when not in blocking mode, but you know you have  'up to date' profiles ready to be set into blocking mode to protect your assets if needed.


                Hope this helps.