Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Rate Limiting for DoS Mitigation

In This Section:

Overview

VSX and Rate Limiting for DoS Mitigation

Configuring Rate Limiting for DoS Mitigation

Overview

Rate Limiting is a defense against DoS (Denial of Service) attacks. A rule-based policy limits traffic coming from specific sources and using specific services.

Rate limiting is enforced on:

  • Bandwidth and packet rate
  • Number of concurrent connections
  • Connection rate

Rate Limiting for DoS Mitigation is scalable and can support a large number of rules. You can define policies that limit bandwidth for the traffic coming from geographic sources that are outside of normal business profiles. It also provides monitoring and whitelisting bypass capabilities.

Note -

  • Rate Limiting for DoS Mitigation is supported on SecurePlatform and Gaia gateways with Performance Pack installed
  • During the installation of the Firewall policy on the gateway, the rate limiting policy is not enforced

VSX and Rate Limiting for DoS Mitigation

This feature is supported in R77.20 and higher.

VSX supports all the Rate Limiting features and functionality. You can configure different settings for the Virtual Systems or global parameters for all of them.

For R77.10 and lower, you can configure only the VSX Gateway (VS0).

Configuring Rate Limiting for DoS Mitigation

To prevent Denial of Service (DoS) attacks, add rules to a policy one at a time, or in batch mode.

If this gateway is a cluster member, configure Rate Limiting for DoS Mitigation on all of the cluster members.

Note - By default, the rules are loaded only on the local gateway, unless you specify a different gateway with the -S <server> parameter.

Adding One Rule at a Time

To add a rule to the policy:

fw samp add -a d|n|b [-l r] [-t TIMEOUT] [-n NAME] [-c COMMENT] [-o ORIGINATOR] quota KEY VALUE [KEY VALUE ...KEY VALUE]

Parameter

Description and Values

-a

Action: on the incoming packets that match the rule:

  • d - drops the packet
  • n - notify: logs the packet and lets it through
  • b - bypass: lets the packet through without checking it against the policy rules

    Note - Rules set to bypass cannot have a log or limit specification. Bypassed packets and connections do not count towards overall number of packets and connection for limit enforcement of type ratio.

-l

Log (optional) - turns on logging:

-l r - regular logging

-t

Timeout (optional) - the number of seconds after which the rule expires.

-t INTEGER

If not set, the rule does not expire.

-n

Name (optional) - adds a name label to the rule.

- n NAME

-c

Comment (optional) - adds comment to the rule.

-c COMMENT

-o

Originator (optional) - specifies the originator.

- o ORIGINATOR_NAME

-s

Server (optional) - specifies the IP address of a target gateway for policy installation.

-s IP_ADDRESS

source

Defines packet sources as a list of comma separated expressions in this format:

source TYPE:VALUE [,TYPE:VALUE, TYPE:VALUE,...TYPE:VALUE]

Valid TYPEs and VALUEs:

  • any

    The rule is applied to packets from any source.

    This value is supported in R77.10 and higher.

  • range:IP_ADDRESS or range:IP_ADDRESS-IP_ADDRESS

    IP addresses can be IPv4 addresses (x.y.z.w) or IPv6 addresses ([xxxx:yyyy:...:zzzz]).

  • cidr:IP_ADDRESS/NETMASK

    IPv4 or IPv6 address, NETMASK 0 to 32 for IPv4, 0 to 128 for IPv6.

  • cc:COUNTRY_CODE

    Two-letter code defined in ISO 3166-1 alpha-2. The rule matches the country code to the addresses assigned to this country, based on the Geo IP database.

  • asn:AUTONOMOUS_SYSTEM_NUMBER

    Valid value syntax is ASnnnn, where nnnn is a number unique to the specific organization. The rule matches the AS number of the organization to the IP addresses that are assigned to this organization, based on the Geo IP database.

destination

This parameter is supported in R77.10 and higher.

The options for this parameter are the same as the source parameter.

source-negated

true or false (default):

source-negated true|false

If true, the rule matches the packet or the connection to the complement set of the values defined as the source.

destination-negated

This parameter is supported in R77.10 and higher.

The options for this parameter are the same as the source-negated parameter.

service

Service protocols, ports, or ranges of protocols or ports:

service PROTO|PROTO-PROTO|PROTO/PORT|PROTO/PORT-PORT

Valid values:

  • PROTO - IP protocol number in the range 1-255.
  • PORT - TCP or UDP port number in the range 1-65535.

service-negated

true or false (default):

service-negated true|false

  • If true, the rule matches the packet or the connection to the complement set of the values defined as the service.

new-conn-rate

Maximum (per second) number of connections that match the rule:

new-conn-rate <seconds>

new-conn-rate-ratio

Maximum ratio of the new-conn-rate value to the rate of all connections per second through the gateway, expressed in parts per 65536

new-conn-rate-ratio n

concurrent-conns

Maximum number of concurrent active connections that match the rule:

concurrent-conns n

concurrent-conns-ratio

Maximum ratio of the concurrent-conns value to the total number of active connections through the gateway, expressed in parts per 65536.

concurrent-conns-ratio n

pkt-rate

Maximum per second number of packets that match the rule:

pkt-rate n

pkt-rate-ratio

Maximum ratio of the pkt-rate value to the rate of all connections through the gateway, expressed in parts per 65536.

pkt-rate-ratio n

byte-rate

Maximum total number of bytes per second in packets that match the rule:

byte-rate n

byte-rate-ratio

Specifies the maximum ratio of the byte-rate value to the bytes per second rate of all connections through the gateway, expressed in parts per 65536.

byte-rate-ratio n

track

Criteria for counting connections, packets, and bytes:

  • track source - connections, packets, and bytes are counted per specific source IP address, and not cumulatively for the rule.
  • track source-service - connections, packets, and bytes are counted per specific source IP address and specific IP protocol and destination port, and not cumulatively for the rule.

Note -

  • The quota rules are not immediately applied to the gateway. They are only registered in the Suspicious Activity Monitoring policy database. To apply all the rules from the policy database immediately, add flush true in the fw samp add command.
  • The new rules apply only to the new connections, not to the existing ones.

Here are some rule examples.

Example of a rule with a range:

fw samp add -a d -l r -t 3600 quota service any source 
range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true
  • Limits the rate of creation of new connection for the IP addresses in the range 172.16.7.11-172.16.7.13 to 5 per second. Drops all other attempted connections (-a d).
  • Logs packets that exceed the quota set by the rule. Note: The limit of the total number of log entries per second is set through the global parameter sim_dos ctl -l LOG-LIMIT. Refer to the Global Parameters section for more information.
  • The rule will expire in one hour (3600 seconds).
  • This rule will be compiled and loaded on the Performance Pack, together with other rules in the Suspicious Activity Monitoring policy database, immediately because this rule includes the flush true parameter.

Example of a rule with a service specification:

fw samp add -a n -l r quota service 1,50-51,6/443,17/53 
service-negated true source cc:QQ byte-rate 0
  • Logs all packets (-a n) coming from IP addresses that are assigned to the country with specified country code (cc:QQ).
  • Does not let any traffic through (byte-rate 0) except for the packets (service-negated true source) that match the IP protocols on the list:
    • 1 - ICMP
    • 50-51 - IPsec
    • 6/443 - HTTPS
    • 17/53 - DNS
  • The rule will not expire (TIMEOUT parameter is not specified). To cancel it, you must delete it explicitly.
  • This rule will not be compiled and installed on the Performance Pack immediately because it does not include the flush true parameter.

Example of a rule with ASN:

fw samp -a d quota source asn:AS64500,cidr:[::ffff:c0a8:1100]/120 
service any pkt-rate 0
  • Drops all packets (-a d) with the source IP address in the IPv6 address block (cidr:[::ffff:c0a8:1100]/120), from the autonomous system number 64500 (asn:AS64500)
  • The rule will not expire (TIMEOUT parameter is not specified). To cancel it, you must delete it explicitly.
  • This rule will not be compiled and installed on the Performance Pack immediately because it does not include the flush true parameter.

Example of a whitelist rule:

fw samp add -a b quota source range:172.16.8.17-172.16.9.121 
service 6/80
  • Ignores all other quota type of rules that match the traffic (-a b), and lets through all HTTP traffic (service 6/80) from the specified address range (source range:172.16.8.17-172.16.9.121).

    Note: the Firewall and other types of security policy rules still apply.

  • The rule will not expire (TIMEOUT parameter is not specified). To cancel it, you must delete it explicitly.
  • This rule will not be compiled and installed on the Performance Pack immediately because it does not include the flush true parameter.

Example of a tracked rule:

fw samp add -a d quota service any source-negated true source 
cc:QQ concurrent-conns-ratio 655 track source
  • Drops (-a d) new connections for every IP address that already has more than approximately 1% (655/65536) of all existing connections (concurrent-conns-ratio 655).
  • Defines IP addresses that are assigned to a specific country (source-negated true source cc:QQ) as exception to the rule.
  • Does not log any entries (does not include -l parameter).
  • The rule will not expire (TIMEOUT parameter is not specified). To cancel it, you must delete it explicitly.
  • This rule will not be compiled and installed on the Performance Pack immediately because it does not include the flush true parameter.

Adding Rules in Batch Mode

To add rules in batch mode:

  1. Type this command to start fw samp batch:

    fw samp [-S IP_ADDRESS] batch <<EOF

    Note: if you include the -s parameter, all the commands in this batch will apply to the specified gateway.

  2. Enter one add or delete command per line on as many lines as necessary. Start each line with add or del parameter, and not with fw samp. Use the same set of parameters and values as for the individual rules. Terminate each line with a Return (ASCII 10 - Line Feed) character:

    add -a d|n|b[-l r] [-t TIMEOUT] [-n NAME] [-c COMMENT] [-o ORIGINATOR] quota KEY VALUE KEY VALUE.

    del UID

  3. To end the batch, type: EOF.

Example:

fw samp -S 192.168.37.5 batch <<EOF
add -a d -l r -t 3600 -c a\ comment quota service any source 
range:172.16.7.13-172.16.7.13 new-conn-rate 5
del <501f6ef0,00000000,cb38a8c0,0a0afffe>
add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
EOF

This batch applies two add commands and one delete command to a gateway with the IP address 192.168.37.5. For details on add command syntax, see Adding One Rule at a Time.

Note - A space or a backslash in comments must be each preceded by a backslash:

-c this\ is\ a\ comment\ with\ a\ backslash\ \\

Deleting a Rule

To delete a rule:

  1. List all the rules in the Suspicious Activity Monitoring policy database:

    fw samp get

    The rules show in this format:

    ... operation=add uid=<501f6ef0,00000000,cb38a8c0,0a0afffe> target=all timeout=... action=... ... ...

  2. Delete a rule from the list:

    fw samp del '<501f6ef0,00000000,cb38a8c0,0a0afffe>'

  3. Enter this flush-only add rule:

    fw samp add -t 2 quota flush true

    This immediately deletes the rule, and times out in 2 seconds. It is a good practice to specify a short timeout period for the flush-only rules. This prevents accumulation of rules that are obsolete in the database.

    The fw samp del command removes a rule from the persistent database only. The deleted rule continues to be enforced until the next time a policy is compiled and loaded. To force the rule deletion immediately, you must enter a flush-only add rule right after the fw samp del command.

Configuring Rules with VSX

This feature is supported in R77.20 and higher.

Use the fw samp command to add rules to a Virtual System. You can run the command on the local gateway, or remotely configure the rules.

To configure rules on a local gateway:

  1. Log in to the gateway CLI.
  2. Set the environment for the specified Virtual System, run set virtual-system <vsid>
  3. Run fw samp and configure one or more Rate Limiting rules.

    The previous sections explain how to add or delete rules.

To configure rules on a remote gateway:

  1. Log in to the server CLI.
  2. Run fw samp and with these parameters and configure one or more Rate Limiting rules.
    • -S <server_IP> - Use the IP address of the VSX Gateway
    • -s <VS_SIC_name> - Use the name of the Virtual System that established SIC

    Run fw vsx showncs -vs <VSID> to show the SIC name for the Virtual System.

    The previous sections explain how to add or delete rules.

Configuring Global Parameters

There are several global parameters that you can configure with sim_dos ctl command for IPv4 addresses and with sim6_dos ctl for IPv6 addresses. They apply to all the policy rules.

Note - sim_dos ctl and sim6_dos ctl are only available as CLI commands on the gateways. Remote command option is not available.

Use the sim_dos ctl or sim6_dos ctl command with the parameters and values below:

Parameter and Values

Description

-m 1|0

Turns on the monitor-only mode, when set to 1. In this mode, rules do not drop any packets, regardless of the action specified. Each rule only does logging, as specified in it.

-x 1|0

When set to 1 (default), the rules are only applied to traffic that arrives on the external interfaces of the gateway.
When set to 0, the rules are applied to traffic regardless of the interface on which it arrives.

Note: This does not apply to other security policies on the gateway. They still get enforced.

-l n

Sets the limit for the number of log entries per second (the default is 100). All the entries that exceed the limit are suppressed. The number of suppressed messages shows in the following period summary.

-a 1|0

Turns the quota policy rules enforcement on (1) and off (0). When the rule enforcement is turned off, no traffic is matched against the quota rules.

Note: The quota rule enforcement is on automatically, when a policy with rules is loaded, and is off, when an empty policy is loaded.

The global parameters return to their default values every time the DoS in the Performance Pack module is initialized. This happens on every reboot. To keep the changes to global parameters until you decide to change them again, include the sim_dos ctl (or sim6_dos ctl) command in the dospreload script:

For IPv4:

$ cat >$PPKDIR/bin/dospreload4 <<EOF
#!/bin/bash
$PPKDIR/bin/sim_dos ctl -m 1 -x 0 -l 30
EOF
$ chmod +x $PPKDIR/bin/dospreload4

For IPv6:

$ cat >$PPKDIR/bin/dospreload6 <<EOF
#!/bin/bash
$PPKDIR/bin/sim6_dos ctl -m 1 -x 0 -l 30
EOF
$ chmod +x $PPKDIR/bin/dospreload6

For VSX:

Rate Limiting for VSX is supported in R77.20 and higher.

  • $PPKDIR/bin/ is shared by all the Virtual Systems
  • $FWDIR/scripts/ is specific for each Virtual System

Run these commands from Expert mode to apply monitor only mode (-m 1) to all Virtual Systems.

# cat > $PPKDIR/bin/dospreload4 << EOF
#!/bin/bash
sim_dos ctl -m 1
if test -x $FWDIR/scripts/dospreload4; then
	$FWDIR/scripts/dospreload4
fi
EOF
# chmod +x $PPKDIR/bin/dospreload4

Run these commands from Expert mode to limit the number of log entries (-l 40) for the Virtual System with VSID 2.

# vsenv 2
Context is set to Virtual Device myVS-2 (ID 2).
# cat > $FWDIR/scripts/dospreload4 <<EOF
#!/bin/bash
sim_dos ctl -l 40
EOF
# chmod +x $FWDIR/scripts/dospreload4

Run similar commands to create $PPKDIR/bin/dospreload6 and a $FWDIR/scripts/dospreload6 script for each Virtual System.

Monitoring Events Related to DoS Mitigation

To see some useful information related to DoS Mitigation, run these commands:

Command

Command Output

cat /proc/ppk/dos

cat /proc/ppk6/dos (for IPv6)

Shows memory utilization, DoS policy rules, and global parameter configuration.

fw samp get -l | grep '^<[0-9a-f,]*>$' | xargs sim_dos get

Shows details of active policy rules in long format. It only show rules loaded in IPv4 kernel. To see the rules in IPv6 kernel, use sim6_dos get command.

cat /proc/ppk/<VSID>/dos

cat /proc/ppk6/<VSID>/dos (for IPv6)

VSX is supported in R77.20 and higher.

Shows memory utilization, DoS policy rules, and global parameter configuration for Virtual Systems.

<VSID> is the VSID for the Virtual System.

 
Top of Page ©2015 Check Point Software Technologies Ltd. All rights reserved. Download PDF Send Feedback Print