Here we’ll look at various methods in which the SRX can prevent or mitigate advanced DoS and DDoS flooding attacks. A DoS flood is a flood of packets to a host or network that is meant to depredate or reduce the availability of the service/network. There are many types of DoS flooding attacks, but they can be categorized into two main flavors:
A DoS flood is an attempt to overrun a system or service with requests (valid or invalid) which overrun the system’s ability to process legitimate requests. An example is an HTTP request flood, as shown in Figure 7-8. The idea of the HTTP flood is to overrun the web server with thousands (or millions) of bogus requests, knocking the website offline and preventing it from serving its customers.
Figure 7-8. A service flood attack
A bandwidth flood is similar to a service flood, with the exception that the bandwidth flood may not be attacking a single destination; instead, it’s attempting to fill up the network links or network infrastructure’s processing capacity. Typically, you see these types of floods as large UDP packets with spoofed sources, as shown in Figure 7-9. Assuming the destination node or network’s smallest link in the network path is an OC3, which is approximately 155 Mb, to attack the availability of this network and its ability to ...