Flood protection helps to protect against Denial of Service (DDoS) attacks.

DDoS attacks aim to make a server unavailable to legitimate traffic by consuming all the available server resources - the server is flooded with requests. Creating a flood protection profile imposes active session limits for ICMP, UDP, and half-open TCP flows. Distributed firewall can cache flow entries which are in SYN_SENT and SYN_RECEIVED states, and promote each entry to a TCP state after an ACK is received from the initiator, completing the three-way handshake.

Procedure

  1. Navigate to Security > General Settings > Firewall > Flood Protection.
  2. Navigate to Security > General Settings > Flood Protection.
  3. Click Add Profile, and select Add Edge Gateway Profile or Add Firewall Profile.
  4. Fill out the flood protection profile parameters:
    Table 1. Parameters for Firewall and Edge Gateway Profiles
    Parameter Minimum and maximum values Default
    TCP Half Open Connection Limit - TCP SYN flood attacks are prevented by limiting the number of active, not-fully-established TCP flows which are allowed by the firewall. 1-1,000,000

    Firewall - None

    Edge Gateway - 1,000,000

    Set this text box to limit the number of active TCP half open connections. If this text box is empty, this limit is disabled on ESX nodes and set to the default on value of Edge Gateways.
    UDP Active Flow Limit -UDP flood attacks are prevented by limiting the number of active UDP flows which are allowed by the firewall. Once the set UDP flow limit is reached, subsequent UDP packets which can establish a new flow are dropped. 1-1,000,000

    Firewall - None

    Edge Gateway - 1,000,000

    Set this text box to limit the number of active UDP connections. If this text box is empty, this limit is disabled on ESX nodes and set to the default on value of Edge Gateways.
    ICMP Active Flow Limit - ICMP flood attacks are prevented by limiting the number of active ICMP flows which are allowed by the firewall. After the set flow limit is reached, subsequent ICMP packets which can establish a new flow are dropped. 1-1,000,000

    Firewall - None

    Edge Gateway - 10,000

    Set this text box to limit the number of active ICMP open connections. If this text box is empty, this limit is disabled on ESX nodes and set to the default on value of Edge Gateways.
    Other Active Connection Limit 1-1,000,000

    Firewall - None

    Edge Gateway - 10,000

    Set this text box to limit the number of active connections other than ICMP, TCP, and UDP half open connections. If this text box is empty, this limit is disabled on ESX nodes, and set to the default on value of Edge Gateways.
    SYN Cache - Syn Cache is used when a TCP half open connection limit has also been configured. The number of active half-open connections are enforced by maintaining a syncache of the not-fully-established TCP sessions. This cache maintains the flow entries which are in SYN_SENT and SYN_RECEIVED states. Each syncache entry will be promoted to a full TCP state entry after an ACK is received from the initiator, completing the three-way handshake. Only available for firewall profiles. Toggle on and off. Enabling SYN cache is effective only when a TCP half open connection limit is configured. Disabled by default.
    RST Spoofing - Generates spoofed RST to server when purging half-open states from SYN cache. Allows server to clean up states associated with SYN flood (half open). Only available for firewall profiles. Toggle on and off. SYN Cache must be enabled for this option to be available
    NAT Active Connection Limit 1 - 4294967295 Only available for Edge Gateway profiles. The default is 4294967295. Set this parameter to limit the number of NAT connections that can be generated at the gateway.
  5. To apply the profile to edge gateways and firewall groups, click Set.
  6. Click Save.

What to do next

After saving, click Manage Group to Profile Precedence to manage group to profile binding precedence.