IBM Support

Protection against DoS and DDoS with IBM QRadar Network Security IQNS (XGS) and Network IPS (GX) appliances

Question & Answer


Question

How can you better protect against a DoS and DDoS attack?

Answer

Important: If an attack is currently impacting your environment, the proper contact is the IBM Security Services - IT Emergency Response Services (ERS). Mitigating the attack is outside scope of IBM Technical Support.



Qradar Network Security IQNS (XGS)
 
  1. Enable the appropriate DoS and DDoS signatures (in the Intrusion Prevention policy) to protect against attacks. You can find the list of signatures in the PAM help file (see Technote 1498057: X-Force Protocol Analysis Module (PAM) signature information). Here you find the DoS and DDoS signature descriptions, protocols, algorithm IDs, tuning parameters, and vulnerability exploits. For more information about configuring the Intrusion Prevention policy, see IBM Knowledge Center - The Intrusion Prevention policy documentation for assistance.
     
  2. You can quarantine DoS and DDoS attacks. The Advanced Threat policy defines how the XGS quarantines traffic. For more information, see IBM Knowledge Center - Advanced Threat policy documentation for assistance.
     
  3. If you have purchased an IP Reputation license, you can create a Network Access Policy rule utilizing an IP Reputation object to protect against attacks. For assistance, see the follow documentation links below:
  4. IBM can offer assistance developing and implementing an incident response program. To discuss this further, contact the IBM Security Services - IT Emergency Response Services (ERS).


Security Network IPS
 
  1. Enable the appropriate DoS and DDoS signatures (in the Security Events policy) to protect against attacks. You can find the list of signatures in the PAM help file (see Technote 1498057: X-Force Protocol Analysis Module (PAM) signature information). Here you find the DoS and DDoS signature descriptions, protocols, algorithm IDs, tuning parameters, and vulnerability exploits. For more information about configuring the Security Event policy, see the IBM Knowledge Center - Configuring Security Event options documentation for assistance.
     
  2. You can quarantine DoS and DDoS attacks. The Quarantine Rules policy defines how the GX quarantines traffic. For more information, see the IBM Knowledge Center - Configuring quarantine rules documentation for assistance.
     
  3. IBM can offer assistance developing and implementing an incident response program. To discuss this further, contact the IBM Security Services - IT Emergency Response Services (ERS).

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SS9SBT","label":"Proventia Network Intrusion Prevention System"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.1;4.3;4.4;4.5;4.6;4.6.1;4.6.2","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.3;5.3.2;5.3.3","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
24 January 2021

UID

swg21973599