DDoS
Hello,
We seem to be the target of DDoS Attacks from time to time. Today we have had one circuit that has been flapping all day and the inbound traffic is high (almost maxed out) according to our WG. I have searched ddos in the traffic monitor and I am seeing the following:
2022-06-14 14:29:21 Member2 alarmd Loaded Alarm-Action element for ID: ddos_attack_src_dos
2022-06-14 14:29:21 Member2 alarmd Loaded Alarm-Action element for ID: ddos_attack_dest_dos
2022-06-14 14:29:21 Member2 alarmd Loaded Alarm-Action element for ID: DDOS-Attack-Src
2022-06-14 14:29:21 Member2 alarmd Loaded Alarm-Action element for ID: DDOS-Attack-Dest
We have ddos turned on but we still seem to see issues. Is there anything else we can do to mitigate the impacts of this? I would have thought the watchguard could drop the packets?
Comments
And the issues are?
If your incoming bandwidth is near maxed out, then there is nothing that you can do other than to talk to your ISP about it - to see if there is anything that they can do to block some of the DDOS packets at their end.
Are your connection counts substantially higher than normal?
If so, and if you can find out what packet type(s) are being sent for the DDoS attack and you allow that packet type through your firewall, then you can set a fairly short custom timeout on TCP policies which are allowing these packet types. The default TCP timeout is 60 mins.
Got it. Thanks!