Firewall Policy Denial of Service (DoS)

About this task

A Denial of Service (DoS) attack is an attempt to make a computer or network resource unavailable to its intended users. Although the means to carry out a DoS attack will vary, it generally consists of a concerted effort of one or more persons attempting to prevent a device, site or service from functioning temporarily or indefinitely.

Most DoS attacks involve saturating the target device with external communications requests so it cannot respond to legitimate traffic or respond so slowly the device becomes unavailable in respect to its defined data rate. DoS attacks are implemented by either forcing targeted devices to reset or consuming the device‘s resources so it can no longer provide service.

To define a denial of service configuration for a Firewall policy:


  1. Go to Policies > Firewall > Firewall Policy > DoS
  2. The Settings dashboard contains a list of all of the DoS attacks for which the wireless controller's firewall has filters.
    Each DoS filter contains the following items:
    Setting Description
    Event Lists the name of each DoS attack
    Enable Select Enable to set the firewall policy to filter the associated DoS attack based on the selection in the Action column
    Action If a DoS filter is selected, chose an action from the drop-down list box to determine how the firewall policy treats the associated DoS attack
    • Log and Drop - An entry for the associated DoS attack is added to the log and then the packets are dropped
    • Log Only - An entry for the associated DoS attack is added to the log. No further action is taken
    • Drop Only - The DoS packets are dropped. No further action is taken
    Log Level Select to enable logging to the system log. Then select a standard Syslog level from the Log Level drop-down list box
    Info Additional information about the DoS firewall setting
  3. Refer to the following for a summary of each Denial of Service attack the firewall can filter.
    Setting Description
    Ascend Series of attacks that target known vulnerabilities in various versions of Ascend routers
    Broadcast/Multicast ICMP A series of attacks that take advantage of ICMP behavior in response to echo replies. These usually involve spoofing the source address of the target and sending ICMP broadcast or multicast echo requests to the rest of the network and in the process flooding the target machine with replies
    Chargen Establishes a Telnet connection to port 19 and attempts to use the character generator service to create a string of characters which is then directed to the DNS service on port 53 to disrupt DNS services
    Fraggle Uses a list of broadcast addresses to send spoofed UDP packets to each broadcast address‘ echo port (port 7). Each of those addresses that have port 7 open will respond to the request generating a lot of traffic on the network. For those that do not have port 7 open they will send an unreachable message back to the originator, further clogging the network with more traffic
    FTP Bounce Uses a vulnerability in the FTP “PORT” command as a way to scan ports on a target machine by using another machine in the middle
    Invalid Protocol Attackers may use vulnerability in the endpoint implementation by sending invalid protocol fields, or may misuse the misinterpretation of endpoint software. This can lead to inadvertent leakage of sensitive network topology information, called hijacking, or a DoS attack
    IP TTL Zero Sends spoofed multicast packets onto the network which have a Time To Live (TTL) of 0. This causes packets to loop back to the spoofed originating machine, and can cause the network to overload
    IP Spoof A category of DoS attack that sends IP packets with forged source addresses. This can hide the identity of the attacker
    LAND Sends spoofed packets containing the SYN flag to the target destination using the target port and IP address as both the source and destination. This will either crash the target system or result in high resource utilization slowing down all other processes
    Option Route Enables the IP Option Route denial of service check in the firewall
    Router Advertisement In this attack, the attacker uses ICMP to redirect the network router function to some other host. If that host can not provide router services, a DoS of network communications occurs as routing stops. This can also be modified to single out a specific system, so that only that system is subject to attack (because only that system sees the 'false' router). By providing router services from a compromised host, the attacker can also place themselves in a man-in-the-middle situation and take control of any open channel at will. This is often used with TCP packet forgery and spoofing to intercept and change open TELNET sessions
    Router Solicit The ICMP Router Solicitation scan is used to actively find routers on a network. Of course, a hacker could set up a protocol analyzer to detect routers as they broadcast routing information on the network. In some instances, however, routers may not send updates. For example, if the local network does not have other routers, the router may be configured to not send routing information packets onto the local network. ICMP offers a method for router discovery. Clients send ICMP router solicitation multicasts onto the network, and routers must respond (as defined in RFC 1122).

    By sending ICMP router solicitation packets (ICMP type 9) on the network and listening for ICMP router discovery replies (ICMP type 10), hackers can build a list of all of the routers that exist on a network segment. Hackers often use this scan to locate routers that do not reply to ICMP echo requests

    Smurf Sends ICMP echo requests to a list of broadcast addresses in a row, and then repeats the requests, thus flooding the network
    Snork Uses UDP packet broadcasts to consume network and system resources
    TCP Bad Sequence Enables a TCP Bad Sequence denial of service check in the firewall
    TCP FIN Scan Hackers use the TCP FIN scan to identify listening TCP port numbers based on how the target device reacts to a transaction close request for a TCP port (even though no connection may exist before these close requests are made). This type of scan can get through basic firewalls and boundary routers that filter on incoming TCP packets with the Finish (FIN) and ACK flag combination. The TCP packets used in this scan include only the TCP FIN flag setting. If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target device discards the FIN and sends no reply
    TCP Intercept A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a Web site, accessing email, using FTP service, and so on.

    The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. The number of SYNs per second and the number of concurrent connections proxied depends on the platform, memory, processor, and other factors. In the case of illegitimate requests, the software‘s aggressive timeouts on half-open connections and its thresholds on TCP connection requests protect destination servers while still allowing valid requests.

    When establishing a security policy using TCP intercept, you can choose to intercept all requests or only those coming from specific networks or destined for specific servers. You can also configure the connection rate and threshold of outstanding connections. Optionally operate TCP intercept in watch mode, as opposed to intercept mode. In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt.

    TCP Null Scan Hackers use the TCP NULL scan to identify listening TCP ports. This scan also uses a series of strangely configured TCP packets, which contain a sequence number of 0 and no flags. This type of scan can get through some firewalls and boundary routers that filter incoming TCP packets with standard flag settings. If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP NULL scan, sending no reply
    TCP Post SYN A remote attacker may be attempting to avoid detection by sending a SYN frame with a different sequence number than the original SYN. This can cause an Intrusion Detection System (IDS) to become unsynchronized with the data in a connection. Subsequent frames sent during the connection are ignored by the IDS
    TCP Packet Sequence Past Window An attempt to predict the sequence number used to identify packets in a TCP connection, which can be used to counterfeit packets. The attacker hopes to correctly guess the sequence number used by the sending host. If successful, they can send counterfeit packets to the receiving host which will seem to originate from the sending host, even though the counterfeit packets may originate from some third host controlled by the attacker
    TCP XMAS Scan The TCP XMAS Scan floods the target system with TCP packets including the FIN, URG, and PUSH flags. This is used to determine details about the target system and can crash a system
    TCP Header Fragment Enables the TCP Header Fragment denial of service check in the firewall
    Twinge Sends ICMP packets and cycles through using all ICMP types and codes. This can crash some Windows systems
    UDP Short Header Enables the UDP Short Header denial of service check in the firewall
    WINNUKE Sends a large amount of data to UDP port 137 to crash the NETBIOS service on windows and can also result on high CPU utilization on the target machine
  4. Select events individually to enable or deactivate event settings.
  5. Select Save to update the DoS settings.