Question & Answer
Question
How can you better protect against a DoS and DDoS attack?
Answer
Important: If an attack is currently impacting your environment, the proper contact is the IBM Security Services - IT Emergency Response Services (ERS). Mitigating the attack is outside scope of IBM Technical Support.
Qradar Network Security IQNS (XGS)
Security Network IPS
Qradar Network Security IQNS (XGS)
- Enable the appropriate DoS and DDoS signatures (in the Intrusion Prevention policy) to protect against attacks. You can find the list of signatures in the PAM help file (see Technote 1498057: X-Force Protocol Analysis Module (PAM) signature information). Here you find the DoS and DDoS signature descriptions, protocols, algorithm IDs, tuning parameters, and vulnerability exploits. For more information about configuring the Intrusion Prevention policy, see IBM Knowledge Center - The Intrusion Prevention policy documentation for assistance.
- You can quarantine DoS and DDoS attacks. The Advanced Threat policy defines how the XGS quarantines traffic. For more information, see IBM Knowledge Center - Advanced Threat policy documentation for assistance.
- If you have purchased an IP Reputation license, you can create a Network Access Policy rule utilizing an IP Reputation object to protect against attacks. For assistance, see the follow documentation links below:
- Configuring application database settings
- Configuring IP reputation category objects
- Network Access policy
- XGS IP Reputation Use Cases
- IBM can offer assistance developing and implementing an incident response program. To discuss this further, contact the IBM Security Services - IT Emergency Response Services (ERS).
Security Network IPS
- Enable the appropriate DoS and DDoS signatures (in the Security Events policy) to protect against attacks. You can find the list of signatures in the PAM help file (see Technote 1498057: X-Force Protocol Analysis Module (PAM) signature information). Here you find the DoS and DDoS signature descriptions, protocols, algorithm IDs, tuning parameters, and vulnerability exploits. For more information about configuring the Security Event policy, see the IBM Knowledge Center - Configuring Security Event options documentation for assistance.
- You can quarantine DoS and DDoS attacks. The Quarantine Rules policy defines how the GX quarantines traffic. For more information, see the IBM Knowledge Center - Configuring quarantine rules documentation for assistance.
- IBM can offer assistance developing and implementing an incident response program. To discuss this further, contact the IBM Security Services - IT Emergency Response Services (ERS).
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SS9SBT","label":"Proventia Network Intrusion Prevention System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.1;4.3;4.4;4.5;4.6;4.6.1;4.6.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.3;5.3.2;5.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
24 January 2021
UID
swg21973599