Rate Limiting for DoS Mitigation

Overview

Rate Limiting is a defense against DoS (Denial of Service) attacks. Rate Limiting rules allow to limit traffic coming from specified sources, or sent to specified destination and using specific services.

Rate limiting is enforced by SecureXL on these:

• Bandwidth and packet rate
• Number of concurrent connections
• Connection rate

For additional information, see sk112454: How to configure Rate Limiting rules for DoS Mitigation.

Use the commands below to configure Rate Limiting for DoS Mitigation:

• 'fw sam_policy' and 'fw6 sam_policy' (you must use the parameter "quota <Quota Filter Arguments>")
• 'fwaccel dos config' and 'fwaccel6 dos config'

Monitoring Events Related to DoS Mitigation

To see some information related to DoS Mitigation, run these commands:

Command	Description
fwaccel stats   fwaccel6 stats	Shows all SecureXL statistics (for IPv4 and IPv6 kernel modules. See: 'fwaccel stats' and 'fwaccel6 stats'. The /proc/ppk/ and /proc/ppk6/ entries.
fwaccel stats -d or cat /proc/ppk/drop_statistics   fwaccel6 stats -d or cat /proc/ppk6/drop_statistics	Shows SecureXL drop statistics only (for IPv4 and IPv6 kernel modules). See: 'fwaccel stats' and 'fwaccel6 stats'. The /proc/ppk/ and /proc/ppk6/ entries.
fw samp get -l |\ grep '^<[0-9a-f,]*>$' |\ xargs fwaccel dos rate get   fw samp get -l |\ grep '^<[0-9a-f,]*>$' | xargs fwaccel6 dos rate get	Shows details of active policy rules in long format (for IPv4 and IPv6 kernel modules). See 'fw sam_policy get' and 'fw6 sam_policy get'.
cat /proc/ppk/rlc	Shows: Total drop packets Total drop bytes See The /proc/ppk/ and /proc/ppk6/ entries.

In addition, see SecureXL Debug.