While investigating a SYN flood attack, the firewall administrator discovers that legitimate traffic is also being dropped by the DoS profile.
If the DoS profile action is set to Random Early Drop, what should the administrator do to limit the drop to only the attacking sessions?
To limit the drop to only the attacking sessions, the administrator should change the SYN flood action from Random Early Drop to SYN cookies. Random Early Drop (RED) drops packets randomly when the threshold is reached, potentially affecting legitimate traffic. SYN cookies, on the other hand, generate acknowledgments in a way that distinguishes between legitimate and malicious traffic, reducing the chances of dropping valid connections.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/dos-protection-against-flooding-of-new-sessions/configure-dos-protection-against-flooding-of-new-sessions
◦ Random Early Drop—Drop packets randomly when connections per second reach the Activate Rate threshold. ◦ SYN cookies—Use SYN cookies to generate acknowledgments so that it is not necessary to drop connections during a SYN flood attack.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/dos-protection-against-flooding-of-new-sessions/configure-dos-protection-against-flooding-of-new-sessions#:~:text=SYN%20Cookies%E2%80%94Rather,affects%20bad%20traffic.
"The SYN Cookies action requires more firewall resources than Random Early Drop; it’s more discerning because it affects bad traffic." https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/dos-protection-against-flooding-of-new-sessions/configure-dos-protection-against-flooding-of-new-sessions
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/zone-protection-profiles/flood-protection
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/dos-protection-against-flooding-of-new-sessions/configure-dos-protection-against-flooding-of-new-sessions
B is correct
SYN cookie is the recommended method because of its advantages of not dropping legitimate traffic, even though maintenance of half-open TCP connections for the TCP servers requires more data plane CPU and memory resources. Do not enable SYN cookies if your data plane CPU is nearing maximum use.
SYN Flood Protection is the only type for which you set the drop Action. Start by setting the Action to SYN Cookies. SYN Cookies treats legitimate traffic fairly and only drops traffic that fails the SYN handshake, while using Random Early Drop drops traffic randomly, so RED may affect legitimate traffic. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/zone-protection-profiles/flood-protection