Checkpoint DDoS Protector Overview

Checkpoint DDoS Protector Overview


Originally published at:

Imagine this: You are sitting in your office thinking about your next project when a bunch of alarming emails and SMS messages ruins your day? While you’re checking your IGW (Internet Gateway Router) for connectivity issues, a lot of agitated and upset people stomp your office. You frantically call your Internet Service Provider’s NOC and their engineer tells you that you were under a massive DDoS attack which saturated their link, so they black-holed your IP address in their BGP process. Sounds familiar?

Investing in an anti-DDoS solution or paying the attackers

Now you understand those ransom emails you were getting were not only an empty threat. DDoS attackers continue to harass you until you pay. Even if your ISP changes your WAN IP, they can discover the new one, only to launch new attacks, considering that around 87 % of victims receive multiple times.

You have a choice: pay the attackers some bitcoins (and hope they don’t do it again) or invest into some anti-DDoS solution. Of course, we don’t recommend that option for obvious reasons. If your business relies on Internet, and every second/minute of downtime can cause a cumulative loss of capital, with DDoS attacks for hire and an ever-rising threat of being a cyber-criminal’s victim, you can consider one of the various anti-DDoS solutions available on the market. In this blog, we focus on the Checkpoint’s solution, DDoS Protector, and describe the solution and some of its benefits.

Integrated on-site and cloud-based protection

The product is a result of the cooperation between Checkpoint and Radware. Checkpoint DDoS Protector is a physical device with its software based on Radware’s attack mitigation solution. DDoS Protector family has 10 different appliances and is protecting from volumetric, application, reflective and resource-exhaustive DDoS attacks for small, medium and even large enterprises. You can pack the appliance with an impressive up to 20x1GbE/10GbE and 4x40GbE port density with low latency and up to 40 GB performance.

It’s a hybrid solution utilizing on-premise protection and the cloud-based volumetric attack scrubbing.

The DDoS protector itself is a device integrated as a Layer 2 bridge into your network topology. It is designed to quickly discover and protect your network, filtering malicious traffic and permitting legitimate one.

While the physical device installed on site may protect you from complex DDoS attacks, which are targeting different applications, but are not very large in volume of malicious traffic sent, it’s often not enough if the DDoS volumetric attack is saturating the link. Meaning if your company, for example, has a 1 GB connection, on a Gigabit Ethernet interface, the link can quickly be overwhelmed with malicious traffic. That’s where the cloud-based protection kicks in.

Check Point Cloud synchronizes with the device. In the case of a volumetric attack, it sends all traffic to the cloud for inspection. As a result, Check Point Cloud only sends legitimate traffic back to the device.

Before we dive more into the technical characteristics of the DDoS protector, let’s first have a quick reminder about the DDoS attacks themselves.

DDoS - Distributed Denial of Service

DDoS attacks are essentially a much nastier version of good old DoS (Denial of Service) attacks. DoS attacks were using a single source IP for the attack, making them easy to block with a firewall rule or two. However, with DDoS, attackers are using hundreds, thousands or even millions of malware-infected computers from all over the world while their owners are innocently browsing the Internet to flush the victim’s servers with illicit traffic to disrupt or completely shut down their operations. With the attack originating from many sources all over the world, ingress-filtering won’t really work anymore. Attackers are also continually improving their attack methods, using stealthy attacks designed to avoid easy detection.

One of the most common types of DDoS attacks is a SYN flood attack where a server gets overwhelmed with false TCP requests. Attackers are indefinitely sending SYN packets to the server, but not responding with ACK on the server’s SYN-ACK packet. This situation quickly drains the server’s resources and leads to a crash and unavailability of the service.

Besides volumetric attacks which are most common, there are also application-based attacks. They don’t have to necessarily involve a lot of bots and the amount of traffic sent is much smaller than with volumetric attacks, but they target ports of a specific application with the same ultimate goal - to make it inaccessible to legitimate users.

Advanced DDoS protector features

Checkpoint DDoS Protector provides protection against more than 100 attack types, including SYN floods, Low and slow, HTTP floods, SSL encryption, Brute force, BGP table attacks, session attacks, Invasive scans and lot of others.

Check Point’s solution arms itself with SSL defense, WAF, IPS, and cloud-based DDoS mitigation and can handle propagation of malware, intrusion activities or server attacks.

DDoS Protector is capable of protecting you from TCP, UDP, ICMP, IGMP and fragment attacks using adaptive behavioral-based detection.

Amongst many other things, you can setup DoS shield using the predefined and customizable filters with rate-limits per pattern and configure SYN rate thresholds. Using the Black List feature, you can stop attacks with L3 and L4 source/destination rules and by utilizing the Connection Rate Limit, you can setup rate-based thresholds for protection.

What to do during the attack

If the symptoms of a DDoS attack are present, there are some things to check first. Start by checking if all your policies are in Block and Report mode and if you are running the newest firmware, as there are regularly new developments attacks and mitigation methods. Check if you’ve installed the latest attack database and make sure all you IP ranges are included by your security policies. Your policies should at least have the "DoS-All" signature profile enabled, followed by a "BDoS" profile.

Make sure you’ve enabled a connection limit by setting the source count in Tracking Type. Try to decrease your SYN protection Activation and Termination thresholds.

Checkpoint recommends taking the packet captures by using Wireshark and a mirrored port on your switch/router. Packet captures are critical in further troubleshooting, especially if you need to contact Checkpoint Technical Support.

Dedicated 24/7 support

If all of the checks mentioned above didn’t help, good news are that Checkpoint provides 24/7 support. You can call the Emergency Response Team by phone and ask for immediate help. They assume you can provide them the Internet access to your device, by using a mobile hotspot for example.


If you plan to tighten up your company’s security by adding a DDoS attack mitigation solution, Checkpoint’s DDoS protector is undoubtedly one of the solutions to look for. DDoS Protector integrates a dedicated device installed on site, synchronized with cloud-based attack scrubbing to redirect and clean the traffic during a volumetric attack and offers dedicated support in case of troubles.

Although there are many great solutions out there, we think that the DDoS Protector is worth checking out.