Rate Limiting for DoS Mitigation

Introduction

Rate Limiting is a defense against DoS (Denial of Service) attacks.

Rate Limiting rules allow to limit traffic coming from specified sources, or sent to specified destination and using specific services.

Rate limiting is enforced by SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. on these:

  • Bandwidth and packet rate

  • Number of concurrent connections

  • Connection rate

For additional information, see sk112454.

Use these commands to configure Rate Limiting for DoS Mitigation:

  • "fw sam_policy" and "fw6 sam_policy" (see fw sam_policy - you must use the parameter "quota <Quota Filter Arguments>")

  • "fwaccel dos config" and "fwaccel6 dos config" (see fwaccel dos config)

Note - You cannot use the Rate Limiting feature for specific URLs. This feature applies to all traffic.

Monitoring Events Related to DoS Mitigation on a Security Gateway / ClusterXL

To see some information related to DoS Mitigation, run these commands:

Command in Gaia Clish or the Expert mode

Description

fwaccel stats

fwaccel6 stats

Shows all SecureXL statistics (for IPv4 and IPv6 kernel modules).

See:

fwaccel stats -d

or

cat /proc/ppk/drop_statistics

fwaccel6 stats -d

or

cat /proc/ppk6/drop_statistics

Shows SecureXL drop statistics only (for IPv4 and IPv6 kernel modules).

See:

fw samp get -l |\
grep '^<[0-9a-f,]*>$' |\
xargs fwaccel dos rate get

fw samp get -l |\
grep '^<[0-9a-f,]*>$' |
xargs fwaccel6 dos rate get

Shows details of active policy rules in long format (for IPv4 and IPv6 kernel modules).

See fw sam_policy get.

cat /proc/ppk/rlc

Shows:

  • Total drop packets

  • Total drop bytes

See The /proc/ppk/ and /proc/ppk6/ entries.

Monitoring Events Related to DoS Mitigation on Scalable Platforms

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

To see some information related to DoS Mitigation, run these commands:

Command in Gaia gClish

Command in the Expert mode

Instructions

fwaccel stats

fwaccel6 stats

g_fwaccel stats

g_fwaccel6 stats

Shows all SecureXL statistics (for IPv4 and IPv6 kernel modules).

See:

fwaccel stats -d

fwaccel6 stats -d

g_fwaccel stats -d

or

cat /proc/ppk/drop_statistics

g_fwaccel6 stats -d

or

cat /proc/ppk6/drop_statistics

Shows SecureXL drop statistics only (for IPv4 and IPv6 kernel modules).

See:

fw samp get -l |\
grep '^<[0-9a-f,]*>$' |\
xargs fwaccel dos rate get

fw samp get -l |\
grep '^<[0-9a-f,]*>$' |
xargs fwaccel6 dos rate get

g_fw samp get -l |\
grep '^<[0-9a-f,]*>$' |\
xargs fwaccel dos rate get

g_fw samp get -l |\
grep '^<[0-9a-f,]*>$' |
xargs fwaccel6 dos rate get

Shows details of active policy rules in long format (for IPv4 and IPv6 kernel modules).

See fw sam_policy get.

N / A

cat /proc/ppk/rlc

Shows:

  • Total drop packets

  • Total drop bytes

See The /proc/ppk/ and /proc/ppk6/ entries.

In addition, see SecureXL Debug.