Rate Limiting for DoS Mitigation

In This Section:

Overview

Rate Limiting is a defense against DoS (Denial of Service) attacks. A rule-based policy limits traffic coming from specific sources and using specific services.

Rate limiting is enforced on:

Bandwidth and packet rate
Number of concurrent connections
Connection rate

Rate Limiting for DoS Mitigation is scalable and can support a large number of rules. You can define policies that limit bandwidth for the traffic coming from geographic sources that are outside of normal business profiles. It also provides monitoring and whitelisting bypass capabilities.

Note -

Rate Limiting for DoS Mitigation is supported on SecurePlatform and Gaia gateways with Performance Pack installed
During the installation of the Firewall policy on the gateway, the rate limiting policy is not enforced

VSX and Rate Limiting for DoS Mitigation

This feature is supported in R77.20 and higher.

VSX supports all the Rate Limiting features and functionality. You can configure different settings for the Virtual Systems or global parameters for all of them.

For R77.10 and lower, you can configure only the VSX Gateway (VS0).

Configuring Rate Limiting for DoS Mitigation

To prevent Denial of Service (DoS) attacks, add rules to a policy one at a time, or in batch mode.

If this gateway is a cluster member, configure Rate Limiting for DoS Mitigation on all of the cluster members.

Note - By default, the rules are loaded only on the local gateway, unless you specify a different gateway with the -S <server> parameter.

Adding One Rule at a Time

To add a rule to the policy:

fw samp add -a d|n|b [-l r] [-t TIMEOUT] [-n NAME] [-c COMMENT] [-o ORIGINATOR] quota KEY VALUE [KEY VALUE ...KEY VALUE]

Parameter		Description and Values

`-a`		Action: on the incoming packets that match the rule: `d` - drops the packet `n` - notify: logs the packet and lets it through `b` - bypass: lets the packet through without checking it against the policy rules Note - Rules set to bypass cannot have a log or limit specification. Bypassed packets and connections do not count towards overall number of packets and connection for limit enforcement of type ratio.
`-l`		Log (optional) - turns on logging: `-l r` - regular logging
`-t`		Timeout (optional) - the number of seconds after which the rule expires. `-t INTEGER` If not set, the rule does not expire.
`-n`		Name (optional) - adds a name label to the rule. `- n NAME`
`-c`		Comment (optional) - adds comment to the rule. `-c COMMENT`
`-o`		Originator (optional) - specifies the originator. `- o ORIGINATOR_NAME`
`-s`		Server (optional) - specifies the IP address of a target gateway for policy installation. `-s IP_ADDRESS`
`source`		Defines packet sources as a list of comma separated expressions in this format: `source` `TYPE:VALUE [,TYPE:VALUE, TYPE:VALUE,...TYPE:VALUE]` Valid `TYPEs` and `VALUEs`: `any` The rule is applied to packets from any source. This value is supported in R77.10 and higher. `range:IP_ADDRESS` or `range:IP_ADDRESS-IP_ADDRESS` IP addresses can be IPv4 addresses (x.y.z.w) or IPv6 addresses ([xxxx:yyyy:...:zzzz]). `cidr:IP_ADDRESS/NETMASK` IPv4 or IPv6 address, `NETMASK` 0 to 32 for IPv4, 0 to 128 for IPv6. `cc:COUNTRY_CODE` Two-letter code defined in ISO 3166-1 alpha-2. The rule matches the country code to the addresses assigned to this country, based on the Geo IP database. `asn:AUTONOMOUS_SYSTEM_NUMBER` Valid value syntax is `ASnnnn`, where `nnnn` is a number unique to the specific organization. The rule matches the AS number of the organization to the IP addresses that are assigned to this organization, based on the Geo IP database.
`destination`		This parameter is supported in R77.10 and higher. The options for this parameter are the same as the `source` parameter.
`source-negated`		`true` or `false` (default)`:` `source-negated true\|false` If `true`, the rule matches the packet or the connection to the complement set of the values defined as the `source`.
`destination-negated`		This parameter is supported in R77.10 and higher. The options for this parameter are the same as the `source-negated` parameter.
`service`		Service protocols, ports, or ranges of protocols or ports: `service PROTO\|PROTO-PROTO\|PROTO/PORT\|PROTO/PORT-PORT` Valid values: `PROTO` - IP protocol number in the range 1-255. `PORT` - TCP or UDP port number in the range 1-65535.
`service-negated`		`true` or `false` (default)`:` `service-negated true\|false` If `true`, the rule matches the packet or the connection to the complement set of the values defined as the `service`.
`new-conn-rate`		Maximum (per second) number of connections that match the rule: `new-conn-rate <seconds>`
`new-conn-rate-ratio`		Maximum ratio of the `new-conn-rate` value to the rate of all connections per second through the gateway, expressed in parts per 65536 `new-conn-rate-ratio n`
`concurrent-conns`		Maximum number of concurrent active connections that match the rule: `concurrent-conns n`
`concurrent-conns-ratio`		Maximum ratio of the `concurrent-conns` value to the total number of active connections through the gateway, expressed in parts per 65536. `concurrent-conns-ratio n`
`pkt-rate`		Maximum per second number of packets that match the rule: `pkt-rate n`
`pkt-rate-ratio`		Maximum ratio of the `pkt-rate` value to the rate of all connections through the gateway, expressed in parts per 65536. `pkt-rate-ratio n`
`byte-rate`		Maximum total number of bytes per second in packets that match the rule: `byte-rate n`
`byte-rate-ratio`		Specifies the maximum ratio of the `byte-rate` value to the bytes per second rate of all connections through the gateway, expressed in parts per 65536. `byte-rate-ratio n`
`track`		Criteria for counting connections, packets, and bytes: `track source` - connections, packets, and bytes are counted per specific source IP address, and not cumulatively for the rule. `track source-service` - connections, packets, and bytes are counted per specific source IP address and specific IP protocol and destination port, and not cumulatively for the rule.
	Note - The quota rules are not immediately applied to the gateway. They are only registered in the Suspicious Activity Monitoring policy database. To apply all the rules from the policy database immediately, add `flush true` in the `fw samp add` command. The new rules apply only to the new connections, not to the existing ones.

Here are some rule examples.

Example of a rule with a range:

fw samp add -a d -l r -t 3600 quota service any source 
range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Limits the rate of creation of new connection for the IP addresses in the range 172.16.7.11-172.16.7.13 to 5 per second. Drops all other attempted connections (-a d).
Logs packets that exceed the quota set by the rule. Note: The limit of the total number of log entries per second is set through the global parameter sim_dos ctl -l LOG-LIMIT. Refer to the Global Parameters section for more information.
The rule will expire in one hour (3600 seconds).
This rule will be compiled and loaded on the Performance Pack, together with other rules in the Suspicious Activity Monitoring policy database, immediately because this rule includes the flush true parameter.

Example of a rule with a service specification:

fw samp add -a n -l r quota service 1,50-51,6/443,17/53 
service-negated true source cc:QQ byte-rate 0

Logs all packets (-a n) coming from IP addresses that are assigned to the country with specified country code (cc:QQ).
Does not let any traffic through (byte-rate 0) except for the packets (service-negated true source) that match the IP protocols on the list:
- 1 - ICMP
- 50-51 - IPsec
- 6/443 - HTTPS
- 17/53 - DNS
The rule will not expire (TIMEOUT parameter is not specified). To cancel it, you must delete it explicitly.
This rule will not be compiled and installed on the Performance Pack immediately because it does not include the flush true parameter.

Example of a rule with ASN:

fw samp -a d quota source asn:AS64500,cidr:[::ffff:c0a8:1100]/120 
service any pkt-rate 0

Drops all packets (-a d) with the source IP address in the IPv6 address block (cidr:[::ffff:c0a8:1100]/120), from the autonomous system number 64500 (asn:AS64500)
The rule will not expire (TIMEOUT parameter is not specified). To cancel it, you must delete it explicitly.
This rule will not be compiled and installed on the Performance Pack immediately because it does not include the flush true parameter.

Example of a whitelist rule:

fw samp add -a b quota source range:172.16.8.17-172.16.9.121 
service 6/80

Ignores all other quota type of rules that match the traffic (-a b), and lets through all HTTP traffic (service 6/80) from the specified address range (source range:172.16.8.17-172.16.9.121).
Note: the Firewall and other types of security policy rules still apply.
The rule will not expire (TIMEOUT parameter is not specified). To cancel it, you must delete it explicitly.
This rule will not be compiled and installed on the Performance Pack immediately because it does not include the flush true parameter.

Example of a tracked rule:

fw samp add -a d quota service any source-negated true source 
cc:QQ concurrent-conns-ratio 655 track source

Drops (-a d) new connections for every IP address that already has more than approximately 1% (655/65536) of all existing connections (concurrent-conns-ratio 655).
Defines IP addresses that are assigned to a specific country (source-negated true source cc:QQ) as exception to the rule.
Does not log any entries (does not include -l parameter).
The rule will not expire (TIMEOUT parameter is not specified). To cancel it, you must delete it explicitly.
This rule will not be compiled and installed on the Performance Pack immediately because it does not include the flush true parameter.

Adding Rules in Batch Mode

To add rules in batch mode:

Type this command to start fw samp batch:
fw samp [-S IP_ADDRESS] batch <<EOF

Note: if you include the -s parameter, all the commands in this batch will apply to the specified gateway.
Enter one add or delete command per line on as many lines as necessary. Start each line with add or del parameter, and not with fw samp. Use the same set of parameters and values as for the individual rules. Terminate each line with a Return (ASCII 10 - Line Feed) character:
add -a d|n|b[-l r] [-t TIMEOUT] [-n NAME] [-c COMMENT] [-o ORIGINATOR] quota KEY VALUE KEY VALUE.

del UID
To end the batch, type: EOF.

Example:

fw samp -S 192.168.37.5 batch <<EOF

add -a d -l r -t 3600 -c a\ comment quota service any source 
range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF

This batch applies two add commands and one delete command to a gateway with the IP address 192.168.37.5. For details on add command syntax, see Adding One Rule at a Time.

Note - A space or a backslash in comments must be each preceded by a backslash:

-c this\ is\ a\ comment\ with\ a\ backslash\ \\

Deleting a Rule

To delete a rule:

List all the rules in the Suspicious Activity Monitoring policy database:
fw samp get

The rules show in this format:

... operation=add uid=<501f6ef0,00000000,cb38a8c0,0a0afffe> target=all timeout=... action=... ... ...
Delete a rule from the list:
fw samp del '<501f6ef0,00000000,cb38a8c0,0a0afffe>'
Enter this flush-only add rule:
fw samp add -t 2 quota flush true

This immediately deletes the rule, and times out in 2 seconds. It is a good practice to specify a short timeout period for the flush-only rules. This prevents accumulation of rules that are obsolete in the database.

The fw samp del command removes a rule from the persistent database only. The deleted rule continues to be enforced until the next time a policy is compiled and loaded. To force the rule deletion immediately, you must enter a flush-only add rule right after the fw samp del command.

Configuring Rules with VSX

This feature is supported in R77.20 and higher.

Use the fw samp command to add rules to a Virtual System. You can run the command on the local gateway, or remotely configure the rules.

To configure rules on a local gateway:

Log in to the gateway CLI.
Set the environment for the specified Virtual System, run set virtual-system <vsid>
Run fw samp and configure one or more Rate Limiting rules.
The previous sections explain how to add or delete rules.

To configure rules on a remote gateway:

Log in to the server CLI.
Run fw samp and with these parameters and configure one or more Rate Limiting rules.
- -S <server_IP> - Use the IP address of the VSX Gateway
- -s <VS_SIC_name> - Use the name of the Virtual System that established SIC
Run fw vsx showncs -vs <VSID> to show the SIC name for the Virtual System.

The previous sections explain how to add or delete rules.

Configuring Global Parameters

There are several global parameters that you can configure with sim_dos ctl command for IPv4 addresses and with sim6_dos ctl for IPv6 addresses. They apply to all the policy rules.

Note - sim_dos ctl and sim6_dos ctl are only available as CLI commands on the gateways. Remote command option is not available.

Use the sim_dos ctl or sim6_dos ctl command with the parameters and values below:

Parameter and Values	Description
`-m 1\|0`	Turns on the monitor-only mode, when set to 1. In this mode, rules do not drop any packets, regardless of the action specified. Each rule only does logging, as specified in it.
`-x 1\|0`	When set to `1` (default), the rules are only applied to traffic that arrives on the external interfaces of the gateway. When set to `0`, the rules are applied to traffic regardless of the interface on which it arrives. Note: This does not apply to other security policies on the gateway. They still get enforced.
`-l n`	Sets the limit for the number of log entries per second (the default is 100). All the entries that exceed the limit are suppressed. The number of suppressed messages shows in the following period summary.
`-a 1\|0`	Turns the quota policy rules enforcement on (1) and off (0). When the rule enforcement is turned off, no traffic is matched against the quota rules. Note: The quota rule enforcement is on automatically, when a policy with rules is loaded, and is off, when an empty policy is loaded.

The global parameters return to their default values every time the DoS in the Performance Pack module is initialized. This happens on every reboot. To keep the changes to global parameters until you decide to change them again, include the sim_dos ctl (or sim6_dos ctl) command in the dospreload script:

For IPv4:

$ cat >$PPKDIR/bin/dospreload4 <<EOF

#!/bin/bash

$PPKDIR/bin/sim_dos ctl -m 1 -x 0 -l 30

EOF

$ chmod +x $PPKDIR/bin/dospreload4

For IPv6:

$ cat >$PPKDIR/bin/dospreload6 <<EOF

#!/bin/bash

$PPKDIR/bin/sim6_dos ctl -m 1 -x 0 -l 30

EOF

$ chmod +x $PPKDIR/bin/dospreload6

For VSX:

Rate Limiting for VSX is supported in R77.20 and higher.

$PPKDIR/bin/ is shared by all the Virtual Systems
$FWDIR/scripts/ is specific for each Virtual System

Run these commands from Expert mode to apply monitor only mode (-m 1) to all Virtual Systems.

# cat > $PPKDIR/bin/dospreload4 << EOF

#!/bin/bash

sim_dos ctl -m 1

if test -x $FWDIR/scripts/dospreload4; then

	$FWDIR/scripts/dospreload4

fi

EOF

# chmod +x $PPKDIR/bin/dospreload4

Run these commands from Expert mode to limit the number of log entries (-l 40) for the Virtual System with VSID 2.

# vsenv 2

Context is set to Virtual Device myVS-2 (ID 2).

# cat > $FWDIR/scripts/dospreload4 <<EOF

#!/bin/bash

sim_dos ctl -l 40

EOF

# chmod +x $FWDIR/scripts/dospreload4

Run similar commands to create $PPKDIR/bin/dospreload6 and a $FWDIR/scripts/dospreload6 script for each Virtual System.

Monitoring Events Related to DoS Mitigation

To see some useful information related to DoS Mitigation, run these commands:

Command

Command Output

cat /proc/ppk/dos

cat /proc/ppk6/dos (for IPv6)

Shows memory utilization, DoS policy rules, and global parameter configuration.

fw samp get -l | grep '^<[0-9a-f,]*>$' | xargs sim_dos get

Shows details of active policy rules in long format. It only show rules loaded in IPv4 kernel. To see the rules in IPv6 kernel, use sim6_dos get command.

cat /proc/ppk/<VSID>/dos

cat /proc/ppk6/<VSID>/dos (for IPv6)

VSX is supported in R77.20 and higher.

Shows memory utilization, DoS policy rules, and global parameter configuration for Virtual Systems.

<VSID> is the VSID for the Virtual System.

Top of Page

Download PDF

Send Feedback