FTD(FMC) Snort Rule Detect DDoS attack

pjh0420 · ‎05-10-2020

Hi.

I would like to know if FTD can detect DDoS Attack in FMC's Intrusion Rule.

I am not sure if it is correct because it is searched based on snort rule.

======================

Random Get Flooding
SYN Flooding
SYN (ECN, CWR) Flooding
ACK Flooding
TCP Connection Flooding
UDP / ICMP Flooding
Cache-Control attack
VSE Query Flooding
Fragment attack
GRE Flooding
DNS Query Flooding
GET Flooding
DB Query Flooding
slowloris
slowread
RUDY-Slow HTTP (S) Post

======================

I can't find the snort rule exactly for the above attack type.

If you know how to quickly check or information, please help.

caroldso · ‎05-19-2020

Hi,

DDoS attacks are not supported by Firepower unless you have Radware DefensePro installed which is again supported only on 4100 and 9300 platforms. Please refer to the below link:

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/radware/radware_ftd_qsg.html

However, DoS prevention can be configured under Rate Based attack as per the following link:

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/detecting_specific_threats.html#ID-2236-00000281

Quoting from the above link:

"In a network analysis policy, you can either configure SYN flood or TCP/IP connection flood detection for the entire policy; in an intrusion policy, you can set rate-based filters for individual intrusion or preprocessor rules. Note that you cannot manually add a rate-based filter to GID 135 rules or modify their rule state. Rules with GID 135 use the client as the source value and the server as the destination value.

WhenSYN Attack Prevention is enabled, rule 135:1 triggers if a defined rate condition is exceeded.

When Control Simultaneous Connections is enabled, rule 135:2 triggers if a defined rate condition is exceeded, and rule 135:3 triggers if a session closes or times out."

Regards,

Carol