How can I use PacketWise to detect and limit denial-of-service attacks?
search cancel

How can I use PacketWise to detect and limit denial-of-service attacks?


Article ID: 165891


Updated On:




Since denial-of-service (DoS) attacks are bandwidth-based, PacketWise can detect and limit these types of attacks. Unlike routers where Access Control Lists can be a huge drag on CPU cycles, PacketShaper/AppVantage is optimized for flow management and does not suffer the same performance degradation.


Smurf Attacks: Create a partition for ICMP and cap it at something small, say 5K or 2K burstable to 20K. This will allow ordinary ICMP traffic to function just fine (it is low bandwidth).

Fraggle Attacks: Create a partition for Inbound/UDP to the broadcast address of your subnets and cap it at something small. You may need to measure to see what normal usage is, but probably it is zero. Example: The broadcast address of subnet is You would enter this in the inside host portion of the matching rule.

Fragment Attacks: PacketWise will not forward illegal Ethernet fragments, stopping them completely. This is fairly uncommon and more of a local network attack.

Further Tuning: Every network is unique. You can experiment with these values and use PacketWise's measurement engine to determine what an appropriate steady state value is for ICMP and UDP broadcasts on your network. Also, consider enabling Top Talkers and Top Listeners on these classes and on the Default class so that you can investigate in more detail the source of the attacks when they happen. (See Track Hosts that Generate the Most Traffic in PacketGuide.)


If you would like to block ICMP completely, consider using a discard policy rather than a never-admit policy to reduce network overhead and reduce processor utilization on the unit.PacketGuide has a detailed solution on this topic. See Detect and Limit DoS Attacks.