McAfee M-1250 Network Protection - Page 26
How blocking works for DoS traffic, Verify blocked DoS attacks using the Threat Analyzer
![]() |
View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 26 highlights
McAfee® Network Security Platform 6.0 Block attacks How blocking works for DoS traffic A DoS policy applies to inbound, outbound, and bidirectional traffic. Inbound traffic is that traffic received on the port marked "Outside" (that is, originating from outside the network) in inline mode. Typically inbound traffic is destined to the protected network, such as an enterprise intranet. Outbound traffic is that traffic sent from a system in your intranet, and is on the port marked "Inside" (that is, originating from inside the network) in inline mode. Bidirectional attacks reflect changes in the distribution of ECHO requests and replies in both inbound and outbound. For example, if the Sensor normally sees 50% inbound replies and 50% outbound replies, but then the distribution changes to 70%/30%, the change might raise an alert. Note: There are also Learning Mode attacks that do not have a directional association, specifically ICMP ECHO Anomaly and TCP Control Anomaly. Note that these attacks cannot be blocked. The Sensor applies the outbound or inbound DoS policy depending on the traffic direction (which is determined via the Sensor cabling and port configuration). The "Drop attack packets" response action must be enabled by traffic type (protocol type) within the DoS policy. When the Sensor detects an attack traffic condition, the block action will persist until the attack condition ends and will repeat whenever the attack condition is present. Verify blocked DoS attacks using the Threat Analyzer Alerts reflecting a DoS condition continue to be sent to the Threat Analyzer for the duration of the attack. In Threat Analyzer, the result status displays "Blocking activated" for the duration of the attack condition. Drop DoS Attacks from the Threat Analyzer The IPS Policy Editor enables you to selectively drop DoS Learning Mode attacks, but in the event you have not set the dropping response, the Threat Analyzer provides the ability to drop further DoS attacks after a recent attack has been detected. Block using ACLs Access Control List (ACL) consists of ordered rules for permitting and denying traffic from reaching a Sensor's inspection engine and continuing on through the network. ACLs complement policies and attack filters to help tune a deployment. You can use ACLs with a Sensor in inline mode to drop or deny traffic from or to specific hosts or within a range of hosts, or traffic that meets particular requirements such as protocol type or port. Some details about ACLs: • ACL rules match on a combination of source IP, destination IP, protocol, and destination port. 18
![](/manual_guide/products/mcafee-m1250-network-protection-260e040/26.png)