Rate Limiting for DoS Mitigation
Overview
Rate Limiting is a defense against DoS (Denial of Service) attacks. A rule-based policy limits traffic coming from specific sources and using specific services.
Rate limiting is enforced on:
- Bandwidth and packet rate.
- Number of concurrent connections.
- Connection rate.
Rate Limiting for DoS Mitigation is scalable and can support a large number of rules. You can define policies that limit bandwidth for the traffic coming from geographic sources that are outside of normal business profiles. It also provides monitoring and whitelisting bypass capabilities.
|
Note -
- Rate Limiting for DoS Mitigation is supported on SecurePlatform and Gaia gateways with Performance Pack installed.
- In an environment with multiple virtual systems, the rate limiting policy is only enforced on the virtual system 0 (zero).
- During the installation of the Firewall policy on the gateway, the rate limiting policy is not enforced.
|
Configuring Rate Limiting for DoS Mitigation
To prevent Denial of Service (DoS) attacks, add rules to a policy one at a time, or in batch mode.
If this gateway is a cluster member, configure Rate Limiting for DoS Mitigation on all of the cluster members.
|
Note - By default, the rules are loaded only on the local gateway, unless you specify a different gateway with the -S <server> parameter.
|
Adding One Rule at a Time
To add a rule to the policy:
fw samp add -a d|n|b [-l r] [-t TIMEOUT] [-n NAME] [-c COMMENT] [-o ORIGINATOR] quota KEY VALUE [KEY VALUE ...KEY VALUE]
|
|
|
|
Parameter
|
Description and Values
|
-a
|
Action: on the incoming packets that match the rule:
|
-l
|
Log (optional) - turns on logging:
-l r - regular logging
|
-t
|
Timeout (optional) - the number of seconds after which the rule expires.
-t INTEGER
If not set, the rule does not expire.
|
-n
|
Name (optional) - adds a name label to the rule.
- n NAME
|
-c
|
Comment (optional) - adds comment to the rule.
-c COMMENT
|
-o
|
Originator (optional) - specifies the originator.
- o ORIGINATOR_NAME
|
-s
|
Server (optional) - specifies the IP address of a target gateway for policy installation.
-s IP_ADDRESS
|
source
|
Defines packet sources as a list of comma separated expressions in this format:
source TYPE:VALUE [,TYPE:VALUE, TYPE:VALUE,...TYPE:VALUE]
Valid TYPEs and VALUEs :
range:IP_ADDRESS or range:IP_ADDRESS-IP_ADDRESS IP addresses can be IPv4 addresses (x.y.z.w) or IPv6 addresses ([xxxx:yyyy:...:zzzz]).
cidr:IP_ADDRESS/NETMASK IPv4 or IPv6 address, NETMASK 0 to 32 for IPv4, 0 to 128 for IPv6.
cc:COUNTRY_CODE Two-letter code defined in ISO 3166-1 alpha-2. The rule matches the country code to the addresses assigned to this country, based on the Geo IP database.
asn:AUTONOMOUS_SYSTEM_NUMBER Valid value syntax is ASnnnn , where nnnn is a number unique to the specific organization. The rule matches the AS number of the organization to the IP addresses that are assigned to this organization, based on the Geo IP database.
|
source-negated
|
true or false (default):
source-negated true|false
If true , the rule matches the packet or the connection to the complement set of the values defined as the source .
|
service
|
Service protocols, ports, or ranges of protocols or ports:
service PROTO|PROTO-PROTO|PROTO/PORT|PROTO/PORT-PORT
Valid values:
PROTO - IP protocol number in the range 1-255.PORT - TCP or UDP port number in the range 1-65535.
|
service-negated
|
true or false (default):
service-negated true|false
- If
true , the rule matches the packet or the connection to the complement set of the values defined as the service .
|
new-conn-rate
|
Maximum (per second) number of connections that match the rule:
new-conn-rate <seconds>
|
new-conn-rate-ratio
|
Maximum ratio of the new-conn-rate value to the rate of all connections per second through the gateway, expressed in parts per 65536
new-conn-rate-ratio n
|
concurrent-conns
|
Maximum number of concurrent active connections that match the rule:
concurrent-conns n
|
concurrent-conns-ratio
|
Maximum ratio of the concurrent-conns value to the total number of active connections through the gateway, expressed in parts per 65536.
concurrent-conns-ratio n
|
pkt-rate
|
Maximum per second number of packets that match the rule:
pkt-rate n
|
pkt-rate-ratio
|
Maximum ratio of the pkt-rate value to the rate of all connections through the gateway, expressed in parts per 65536.
pkt-rate-ratio n
|
byte-rate
|
Maximum total number of bytes per second in packets that match the rule:
byte-rate n
|
byte-rate-ratio
|
Specifies the maximum ratio of the byte-rate value to the bytes per second rate of all connections through the gateway, expressed in parts per 65536.
byte-rate-ratio n
|
track
|
Criteria for counting connections, packets, and bytes:
track source - connections, packets, and bytes are counted per specific source IP address, and not cumulatively for the rule.track source-service - connections, packets, and bytes are counted per specific source IP address and specific IP protocol and destination port, and not cumulatively for the rule.
|
|
Note -
- The quota rules are not immediately applied to the gateway. They are only registered in the Suspicious Activity Monitoring policy database. To apply all the rules from the policy database immediately, add
flush true in the fw samp add command. - The new rules apply only to the new connections, not to the existing ones.
|
Here are some rule examples.
Example of a rule with a range:
fw samp add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true
|
- Limits the rate of creation of new connection for the IP addresses in the range 172.16.7.11-172.16.7.13 to 5 per second. Drops all other attempted connections (
-a d ). - Logs packets that exceed the quota set by the rule. Note: The limit of the total number of log entries per second is set through the global parameter
sim_dos ctl -l LOG-LIMIT . Refer to the Global Parameters section for more information. - The rule will expire in one hour (3600 seconds).
- This rule will be compiled and loaded on the Performance Pack, together with other rules in the Suspicious Activity Monitoring policy database, immediately because this rule includes the
flush true parameter.
Example of a rule with a service specification:
fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0
|
- Logs all packets (-a n) coming from IP addresses that are assigned to the country with specified country code (
cc:QQ ). - Does not let any traffic through (
byte-rate 0 ) except for the packets (service-negated true source ) that match the IP protocols on the list:- 1 - ICMP
- 50-51 - IPSec
- 6/443 - HTTPS
- 17/53 - DNS
- The rule will not expire (TIMEOUT parameter is not specified). To cancel it, you must delete it explicitly.
- This rule will not be compiled and installed on the Performance Pack immediately because it does not include the
flush true parameter.
Example of a rule with ASN:
fw samp -a d quota source asn:AS64500,cidr:[::ffff:c0a8:1100]/120 service any pkt-rate 0
|
- Drops all packets (
-a d ) with the source IP address in the IPv6 address block (cidr:[::ffff:c0a8:1100]/120 ), from the autonomous system number 64500 (asn:AS64500 ) - The rule will not expire (TIMEOUT parameter is not specified). To cancel it, you must delete it explicitly.
- This rule will not be compiled and installed on the Performance Pack immediately because it does not include the
flush true parameter.
Example of a whitelist rule:
fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
|
Example of a tracked rule:
fw samp add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source
|
- Drops (-a d) new connections for every IP address that already has more than approximately 1% (655/65536) of all existing connections (
concurrent-conns-ratio 655 ). - Defines IP addresses that are assigned to a specific country (
source-negated true source cc:QQ ) as exception to the rule. - Does not log any entries (does not include
-l parameter). - The rule will not expire (TIMEOUT parameter is not specified). To cancel it, you must delete it explicitly.
- This rule will not be compiled and installed on the Performance Pack immediately because it does not include the
flush true parameter.
Adding Rules in Batch Mode
To add rules in batch mode:
- Type this command to start
fw samp batch:fw samp [-S IP_ADDRESS] batch <<EOF
Note: if you include the -s parameter, all the commands in this batch will apply to the specified gateway.
- Enter one add or delete command per line on as many lines as necessary. Start each line with
add or del parameter, and not with fw samp. Use the same set of parameters and values as for the individual rules. Terminate each line with a Return (ASCII 10 - Line Feed) character:add -a d|n|b[-l r] [-t TIMEOUT] [-n NAME] [-c COMMENT] [-o ORIGINATOR] quota KEY VALUE KEY VALUE.
del UID
- To end the batch, type:
EOF .
Example:
fw samp -S 192.168.37.5 batch <<EOF
add -a d -l r -t 3600 -c a\ comment quota service any source range:172.16.7.13-172.16.7.13 new-conn-rate 5
del <501f6ef0,00000000,cb38a8c0,0a0afffe>
add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
EOF
|
This batch applies two add commands and one delete command to a gateway with the IP address 192.168.37.5. For details on add command syntax, see Adding One Rule at a Time.
|
Note - A space or a backsplash in comments must be each preceded by a backslash:
-c this\ is\ a\ comment\ with\ a\ backsplash\ \\
|
Deleting a Rule
To delete a rule:
- List all the rules in the Suspicious Activity Monitoring policy database:
fw samp get
The rules show in this format:
... operation=add uid=<501f6ef0,00000000,cb38a8c0,0a0afffe> target=all timeout=... action=... ... ...
- Delete a rule from the list:
fw samp del '<501f6ef0,00000000,cb38a8c0,0a0afffe>'
- Enter this flush-only add rule:
fw samp add -t 2 quota flush true
This immediately deletes the rule, and times out in 2 seconds. It is a good practice to specify a short timeout period for the flush-only rules. This prevents accumulation of rules that are obsolete in the database.
The fw samp del command removes a rule from the persistent database only. The deleted rule continues to be enforced until the next time a policy is compiled and loaded. To force the rule deletion immediately, you must enter a flush-only add rule right after the fw samp del command.
Configuring Global Parameters
There are several global parameters that you can configure with sim_dos ctl command for IPv4 addresses and with sim6_dos ctl for IPv6 addresses. They apply to all the policy rules.
|
Note - sim_dos ctl and sim6_dos ctl are only available as CLI commands on the gateways. Remote command option is not available.
|
Use the sim_dos ctl or sim6_dos ctl command with the parameters and values below:
Parameter and Values
|
Description
|
-m 1|0
|
Turns on the monitor-only mode, when set to 1. In this mode, rules do not drop any packets, regardless of the action specified. Each rule only does logging, as specified in it.
|
-x 1|0
|
When set to 1 (default), the rules are only applied to traffic that arrives on the external interfaces of the gateway. When set to 0 , the rules are applied to traffic regardless of the interface on which it arrives.
Note: This does not apply to other security policies on the gateway. They still get enforced.
|
-l n
|
Sets the limit for the number of log entries per second (the default is 100). All the entries that exceed the limit are suppressed. The number of suppressed messages shows in the following period summary.
|
-a 1|0
|
Turns the quota policy rules enforcement on (1) and off (0). When the rule enforcement is turned off, no traffic is matched against the quota rules.
Note: The quota rule enforcement is on automatically, when a policy with rules is loaded, and is off, when an empty policy is loaded.
|
The global parameters return to their default values every time the DoS in the Performance Pack module is initialized. This happens on every reboot. To keep the changes to global parameters until you decide to change them again, include the sim_dos ctl (or sim6_dos ctl ) command in the dospreload script:
For IPv4:
$ cat >$PPKDIR/bin/dospreload4 <<EOF
#!/bin/bash
$PPKDIR/bin/sim_dos ctl -m 1 -x 0 -l 30
EOF
$ chmod +x $PPKDIR/bin/dospreload4
|
For IPv6:
$ cat >$PPKDIR/bin/dospreload6 <<EOF
#!/bin/bash
$PPKDIR/bin/sim6_dos ctl -m 1 -x 0 -l 30
EOF
$ chmod +x $PPKDIR/bin/dospreload6
|
Monitoring Events Related to DoS Mitigation
To see some useful information related to DoS Mitigation, run these commands:
Command
|
Command Output
|
cat /proc/ppk/dos
cat /proc/ppk6/dos (for IPv6)
|
Shows memory utilization, DoS policy rules, and global parameter configuration.
|
fw samp get -l | grep '^<[0-9a-f,]*>$' | xargs sim_dos get
|
Shows details of active policy rules in long format. It only show rules loaded in IPv4 kernel. To see the rules in IPv6 kernel, use sim6_dos get command.
|
|
|