How Blocking Works For Dos Traffic; Verify Blocked Dos Attacks Using The Threat Analyzer; Drop Dos Attacks From The Threat Analyzer; Block Using Acls - McAfee M-1250 - Network Security Platform Manual

McAfee® Network Security Platform 6.0

How blocking works for DoS traffic

A DoS policy applies to inbound, outbound, and bidirectional traffic. Inbound traffic is that
traffic received on the port marked "Outside" (that is, originating from outside the network)
in inline mode. Typically inbound traffic is destined to the protected network, such as an
enterprise intranet. Outbound traffic is that traffic sent from a system in your intranet, and
is on the port marked "Inside" (that is, originating from inside the network) in inline mode.
Bidirectional attacks reflect changes in the distribution of ECHO requests and replies in
both inbound and outbound. For example, if the Sensor normally sees 50% inbound
replies and 50% outbound replies, but then the distribution changes to 70%/30%, the
change might raise an alert.
Note:
association, specifically ICMP ECHO Anomaly and TCP Control Anomaly. Note that
these attacks cannot be blocked.
The Sensor applies the outbound or inbound DoS policy depending on the traffic direction
(which is determined via the Sensor cabling and port configuration). The "Drop attack
packets" response action must be enabled by traffic type (protocol type) within the DoS
policy.
When the Sensor detects an attack traffic condition, the block action will persist until the
attack condition ends and will repeat whenever the attack condition is present.

Verify blocked DoS attacks using the Threat Analyzer

Alerts reflecting a DoS condition continue to be sent to the Threat Analyzer for the duration
of the attack.
In Threat Analyzer, the result status displays "Blocking activated" for the duration of the
attack condition.

Drop DoS Attacks from the Threat Analyzer

The IPS Policy Editor enables you to selectively drop DoS Learning Mode attacks, but in
the event you have not set the dropping response, the Threat Analyzer provides the ability
to drop further DoS attacks after a recent attack has been detected.

Block using ACLs

Access Control List
reaching a Sensor's inspection engine and continuing on through the network. ACLs
complement policies and attack filters to help tune a deployment. You can use ACLs with a
Sensor in inline mode to drop or deny traffic from or to specific hosts or within a range of
hosts, or traffic that meets particular requirements such as protocol type or port.
Some details about ACLs:
•
There are also Learning Mode attacks that do not have a directional
(ACL) consists of ordered rules for permitting and denying traffic from
ACL rules match on a combination of source IP, destination IP, protocol, and
destination port.
18
Block attacks