Engine Editor > Advanced Settings > DoS Protection

Use this branch to configure protection that can help prevent Denial of Service (DoS) attacks.

Option Definition
Rate-Based DoS Protection Mode Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks.
  • Disabled — DoS protection is not enabled.
  • Off (Can Be Overridden in Policy) — DoS protection is not enabled, but you can override this setting in individual Access rules. This option is the default setting.
  • On (Can Be Overridden in Policy) — DoS protection is enabled. You can override this setting in individual Access rules.
SYN Flood Sensitivity When SYN flood protection is activated, the Secure SD-WAN Engine acts as a SYN proxy. The engine completes the TCP handshake with the client, and only initiates the connection with the server after the client has completed the TCP handshake.
  • Off — SYN flood protection is not enabled.
  • Low — Allows the most SYN-ACK timeouts before the Secure SD-WAN Engine requires a full TCP handshake with the client before it communicates with a server.
  • Medium — Allows a medium number of SYN-ACK timeouts before the Secure SD-WAN Engine requires a full TCP handshake with the client before it communicates with a server. This option is the default setting.
  • High — Allows the fewest SYN-ACK timeouts before the Secure SD-WAN Engine requires a full TCP handshake with the client before it communicates with a server.
Limit for Half-Open TCP Connections

(Optional)

Set the maximum number of half-open TCP connections per destination IP address. The minimum is 125, the maximum is 100 000. When the limit is exceeded, the SYN flood protection is activated, and log data is generated.
Slow HTTP Request Sensitivity The Secure SD-WAN Engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If the sender of the request tries to keep the connection open for an unreasonable length of time, the Secure SD-WAN Engine block lists the sender’s IP address for a specified length of time.
  • Off — Slow HTTP Request Protection is not enabled.
  • Low — Allows the slowest data transfer rate before the block list timeout is applied. This option is the default setting.
  • Medium — Allows a moderately slow data transfer rate before the block list timeout is applied.
  • High — Allows the least slow data transfer rate before the block list timeout is applied.
Slow HTTP Request Block list Timeout The length of time for block listing IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300).
TCP Reset Sensitivity When enabled, the Secure SD-WAN Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP Reset attack. You cannot override this setting in individual Access rules
  • Off — TCP reset protection is not enabled. This option is the default setting.
  • Low — Allows the most TCP reset requests before the Secure SD-WAN Engine considers itself to be under attack.
  • Medium — Allows a medium number of TCP reset requests before the Secure SD-WAN Engine considers itself to be under attack.
  • High — Allows the fewest TCP reset requests before the Secure SD-WAN Engine considers itself to be under attack.