Mitigate DDos Attacks on Firewall Sophos XG

It looks relatively straight forward.

Packet rate per source (Packet/min): This will define how many packets from a source IP in a 60 second window will trigger DoS protection.
Burst rate per Source (Packet/sec): This will define how many packets from a source IP in a 1 second window will trigger DoS protection.
Apply Flag: Is the rule enabled.

There are obviously the alternate settings for the packets being sent to a destination IP as well. The setting definitions are otherwise identical. You can choose whether to apply the destination rule separately, but you probably wouldn't care about destination much.

To add on, the default values may at times trigger false positives.
https://community.sophos.com/kb/en-us/123182

Hence it is best to measure your network PPS

Here is an example PPS calculation for an application that uses TCP port XXXXX for communication using default settings for communication accross the network. It averages 5 KB per transaction and the average user transacts with the application 10 times per second.


 It is a TCP application so the policy should be for SYN-Flood
 Default MTU is 1,500, MSS is 1,460
 5 KB max transaction size x 1,024 = 5,120 bytes
 5,120 / 1,460 = 3.5 packets per transaction
 You cannot have partial packets, round up to 4
 4 x max. 10 transactions per second = 40 packets per second

This would then be multiplies by the average number of concurrent sessions (users) accessing the application.

Accurately identifying transactions per second and how much data per transaction is difficult and requires indepth knowledge of the protocols and services. An alternative method of estimating the PPS is to divide the maximum data of a client per second by the MSS. If you do this with the values in this scenario you end up with 35 PPS because it does not account for partial packets.

With this in mind, although it is an easier method you would need to pad the PPS result

 Max. 10 transactions per second x max. 5 KB per transaction = 50 KB
 50 KB x 1024 = 51,200 bytes
 51,200 / 1,460 = 35 PPS.

Additional information

• Packet rate: The Sophos XG Firewall will allow tcp traffic for a particular source or destination if packets are coming below the rate given, otherwise it will be dropped.
• Burst rate: The Sophos XG Firewall will allow this amount of packets initially without checking the packet rate.
• The DoS protection works per source/destination base, so packet rate and burst rate will apply to per source/destination.
• The Sophos XG Firewall will check for a bypass rule first and then apply DoS protection for the remaining traffic.

Hi, but which one is better between Source and Destination? we are configuring 24000 as packet rate per source (per min), 1000 packet per source (per second) as burst rate but many users (at here - HO and many other branch offices) suffered slow experience.

Inside our network here, we have Exchange 2016 server, ~400 users and several ERP application.

From outside, we have about 1000 users.

Setting source and destination would be suitable. See the option below.

 So, if you know there will be 1k and 400 concurrent user, it means a total of 1500 user will be the worst case to access the system, and the targeted backend system can sustain that.

Both source and destination addresses:
- Select this option if you want to drop SYN packets that match both source and destination IP address. First, SYN packets are filtered that match the source IP address. Second, if there are still too many requests they will additionally be filtered according to the destination IP address. This mode is set as default.

 Destination address only:
- Select this option if you want to drop SYN packets according to the destination IP address only.

Source address only:
- Select this option if you want to drop SYN packets according to the source IP address only.

Hi, yes I understood the theory but how can I calculate the exact numbers? Can we should some tools to record the information?