VMware SD-WAN provides detection and protection against various attacks to combat exploits at all stages of their execution.

To secure all connection attempts in an Enterprise network, VMware SD-WAN Orchestrator allows you to configure Network and Flood Protection settings at the Profile and Edge levels, to protect against the following types of attacks:
  • Denial-of-Service (DoS) attack
  • TCP-based attacks - Invalid TCP Flags, TCP Land, and TCP SYN Fragment
  • ICMP-based attacks - ICMP Ping of Death and ICMP Fragment
  • IP-based attacks - IP Unknown Protocol and IP Insecure Options
Denial-of-Service (DoS) attack

A denial-of-service (DoS) attack is a type of network security attack that overwhelms the targeted device with a tremendous amount of bogus traffic so that the target becomes so preoccupied processing the bogus traffic that legitimate traffic cannot be processed. The target can be a firewall, the network resources to which the firewall controls access, or a specific hardware platform or operating system of an individual host. The DoS attack attempts to exhaust the target device's resources, making the target device unavailable to legitimate users.

There are two general methods of DoS attacks: flooding services or crashing services. Flood attacks occur when the system receives too much traffic for the server to buffer, causing them to slow down and eventually stop. Other DoS attacks simply exploit vulnerabilities that cause the target system or service to crash. In these attacks, input is sent that takes advantage of bugs in the target that subsequently crash or severely destabilize the system.

Invalid TCP Flags
Invalid TCP flags attack occurs when a TCP packet has a bad or invalid flag combination. A vulnerable target device will crash due to invalid TCP flag combinations and therefore it is recommended to filter them out. Invalid TCP flags guards against:
  • Packet that has no flags set in its TCP header such as SYN, FIN, ACK, etc.,
  • TCP header that has SYN and FIN flags combined, which are mutually-exclusive flags in reality
TCP Land

A Land attack is a Layer 4 DoS attack in which, a TCP SYN packet is created such that the source IP address and port are set to be the same as the destination IP address and port, which in turn is set to point to an open port on a target device. A vulnerable target device would receive such a message and reply to the destination address effectively sending the packet for reprocessing in an infinite loop. Thus, the device CPU is consumed indefinitely causing the vulnerable target device to crash or freeze.

TCP SYN Fragment

The Internet Protocol (IP) encapsulates a Transmission Control Protocol (TCP) SYN segment in the IP packet to initiate a TCP connection and invoke a SYN/ACK segment in response. Because the IP packet is small, there is no legitimate reason for it to be fragmented. A fragmented SYN packet is anomalous, and as such suspect. In a TCP SYN fragment attack, a target server or host is flooded with TCP SYN packet fragments. The host catches the fragments and waits for the remaining packets to arrive so it can reassemble them. By flooding a server or host with connections that cannot be completed, the host's memory buffer overflows and therefore no further legitimate connections are possible, causing damage to the target host's operating system.

ICMP Ping of Death

An Internet Control Message Protocol (ICMP) Ping of Death attack involves the attacker sending multiple malformed or malicious pings to a target device. While ping packets are generally small used for checking reachability of network hosts, they could be crafted larger than the maximum size of 65535 bytes by attackers.

When a maliciously large packet is transmitted from the malicious host, the packet gets fragmented in transit and when the target device attempts to reassemble the IP fragments into the complete packet, the total exceeds the maximum size limit. This could overflow memory buffers initially allocated for the packet, causing system crash or freeze or reboot, as they cannot handle such huge packets.

ICMP Fragment

An ICMP Fragmentation attack is a common DoS attack which involves the flooding of fraudulent ICMP fragments that cannot be defragmented on the target server. As defragmentation can only take place when all fragments are received, temporary storage of such fake fragments takes up memory and may exhaust the available memory resources of the vulnerable target server, resulting in server unavailability.

IP Unknown Protocol

Enabling IP Unknown Protocol protection blocks IP packets with the protocol field containing a protocol ID number of 143 or greater, as it could lead to crash if not handled properly on the end device. A cautious stance would be to block such IP packets from entering the protected network.

IP Insecure Options

Attackers sometimes configure IP option fields within an IP packet incorrectly, producing either incomplete or malformed fields. Attackers use these malformed packets to compromise vulnerable hosts on the network. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing a packet containing a specific crafted IP option in the packet's IP header. Enabling IP Insecure Options protection blocks transit IP packets with incorrectly formatted IP option field in the IP packet header.

Configure Network and Flood Protection Settings

To configure Network and Flood Protection settings at the profile level, perform the following steps.


  1. From the SD-WAN Orchestrator, go to Configure > Profiles > Firewall.
  2. Enable Stateful Firewall for the selected profile.
  3. Under Network & Flood Protection Settings area, configure the following settings:
    Field Description
    New Connection Threshold (connections per second) The maximum number of new connections that is allowed from a single source IP per second. The allowable value ranges from 10 percentage through 100 percentage. The default value is 25 percentage.
    Denylist Enable the checkbox to block a source IP address, which is violating the new connection threshold by sending flood traffic either due to misconfiguration of network or malicious user attacks.
    Detect Duration (seconds) Before blocking a Source IP address, it is the grace time duration for which the violating source IP is allowed to send traffic flows.

    If an host sends flood traffic of new connection requests (port scan, TCP SYN flood, etc.,) exceeding the maximum allowed connection per second (CPS) for this duration, it will be considered as eligible for denylisting instead of immediately denylisting it as soon as it exceeds the CPS per source once. For example, consider that the maximum allowed CPS is 10 with detect duration of 10 seconds, if the host floods new connection requests greater than 100 requests for 10 seconds, then the host will be denylisted.

    The allowable value ranges from 10 seconds through 100 seconds. The default value is 10 seconds.
    Denylist Duration (seconds) The time duration for which the violated source IP is blocked from sending any packets. The allowable value ranges from 10 seconds through 86400 seconds. The default value is 10 seconds.
    TCP Based Attacks Supports protection from the following TCP-based attacks by enabling the respective checkboxes:
    • Invalid TCP Flags
    • TCP Land
    • TCP SYN Fragment
    ICMP Based Attacks Supports protection from the following ICMP-based attacks by enabling the respective checkboxes:
    • ICMP Ping of Death
    • ICMP Fragment
    IP Based Attacks Supports protection from the following IP-based attacks by enabling the respective checkboxes:
    • IP Unknown Protocol
    • IP Insecure Options
    Optionally, you can also override the Network and Flood Protection settings at the Edge level. For more information, see Configure Netflow Settings for Edges.