NGFW. Part 3 - Demonstrating DDoS Protection

    Distributed denial of service (DDoS) attacks are still at the top of the anti-rating. DDoS attacks against commercial organizations have proven effective in disrupting the business and attracting the attention of the company. For example, through the use of massive botnets collected from compromised computers, hackers launched a number of widely publicized and very destructive DDoS attacks against US banks.

    The following is an example of protection against denial of service attacks using malware infected computers using HP NGFW . To test this feature of the firewall, a stand was assembled, presented in the figure below. Scheme of the stand The stand consists of three main parts:






    1. VMWare-based virtual environment simulating a local area network + data center (on the left in the diagram)
    2. HP NGFW Firewall
    3. Virtual environment simulating an Internet segment (on the right in the diagram)

    A virtual environment simulating a local network is a virtual machine deployed on a workstation based on the Windows operating system. To simulate the operation of malware, a testing agent capable of generating DDoS traffic is installed on some virtual machines.

    The firewall is installed in the gap between the Internet segment and the local network and in this stand is a third-level device that routes traffic between segments. Basic rules and firewall settings are shown in the diagram above.

      A virtual environment simulating the Internet segment is a set of virtual machines based on the Linux operating system with specialized software installed on them - among other things, the Apache web server, MySQL database server, PHP version 5 language interpreter, Nessus security scanner, scanning utility nmap networks.

    Basic Firewall Configuration


    Below are the basic NGFW settings in accordance with the developed stand layout shown in Figure 3. All settings are shown in the NGFW’s own web interface. Figure 4 shows the IP settings of the FW interfaces in accordance with the diagram above.


    IP Interface

    Settings The security zone settings are shown below. For simplicity, the stand has three security zones configured - Inside, Outside and VPN.


    Security Zone Settings

    Figure 6 shows the basic settings made for Destination NAT. Several internal addresses of virtual machines that run various network services (HTTP / HTTPS, FTP, etc.) are published.


    Destination NAT Settings

    Below are the basic settings for Source NAT. Several virtual machine addresses are translated to external addresses to ensure their access to emulated services with malware.


    Source NAT The

    basic FW Policy settings, according to which traffic is processed, are shown in Figure 8. In order to check how the default IPS policy works, we will pass all traffic through the basic Static FW filters transparently.


    FW Policy

    Basic anti-intrusion system (IPS) settings. All recommended IPS filtering categories are included in this test.


    Basic IPS settings Threshold

    settings for DDoS attacks. The IPS response threshold for a DDoS SYN FLOOD attack is 100 packets per second.  


    IPS DDoS

    We emulate the attack according to the classical scheme given in part 2 of the series and try to defend against the attack using NGFW. At the same time, in a real DDoS attack, filtering by port / address is an ineffective approach, since infected machines are scattered, as a rule, over the network and have randomly scattered addresses. Therefore, we skip all traffic to IPS and, as shown above, configure the DDoS protection rule in IPS:

    1. To make sure that IPS works, turn off the rule on NGFW according to which the traffic of the source host of the network attack will be blocked:



    2. Start the network DDoS attack and look at the Wireshark logs and observe the classic DoS attack with an infected virtual machine agent:



    3.We turn on the NGFW IPS rule blocking the traffic of the host from which the network attack is taking place:



    4. Make sure the Wireshark logs are working and the DoS attack is stopped:



    5. We look in the NGFW logs and note that the attack is detected and traffic from the attacking host is closed:



    This example shows how, using the rules pre-configured in the NGFW intrusion detection system, classic DDoS attacks are detected and prevented. In conclusion, I would like to say that the functionality of NGFW to repel such threats is not limited to built-in rules (although such rules in NGFW are laid down enough to reflect most network threats). NGFW has functionality for writing and implementing its own rules in policies, which allows you to flexibly respond to morphing threats of information security. But more about that next time.

    Also popular now: