Sophos XG Firewall: How to prevent DoS and DDoS attacks

How to configure DoS & DDoS protection

• This article describes how you can protect your network against DoS and DDoS attacks using the Sophos XG Firewall (SF). It is divided into two sections:
  • Protecting your network from a DoS attack
  • Protecting your network from a DDoS attack

Protecting your network from a DoS attack

You can protect your network against DoS attacks for both IPv4 and IPv6 traffic by configuring the appropriate DoS Settings on the Sophos XG Firewall. You can configure DoS Settings by following the steps below:

1. Navigate to Intrusion Prevention > DoS & Spoof Protection.
2. Set the Packet and Burst rates under DoS Settings section according to your network traffic and check the Apply Flag next to the parameter to enable scanning for the respective type of traffic.
   • As an example, we have set Packet rate per Source (Packet/min) as 1200 for ICMP/ICMPv6 Flood and checked the Apply Flag next to it to enable scanning for ICMP and ICMPv6 traffic.
3. Click Apply to apply the configured DoS Settings.

• Once DoS settings are applied, SF checks the network traffic to ensure that it does not exceed the configured limit.

Protecting your network from a DDoS Attack

• You can protect your network against DDoS attacks by using Intrusion Prevention policies in SF. To configure an IPS policy, follow the steps below.
• Navigate to Intrusion Prevention > IPS Policies.
• Click Add to create a new Intrusion Prevention policy named DDoS_Protection.

• Click Save.
• Click on the  icon for the DDoS_Protection policy.
• Click on Add to create a new rule named DDoS_Signatures.
• In the Smart Filter field, type “ddos” (without the quotes) and then press enter.
• Set the Action to Drop Packet.

• Click on Save and then click on Save again to save the policy.
• Navigate to Firewall and apply the Intrusion Prevention policy to the User/Network Rule.