Rate Limiting for DoS Mitigation

Introduction

Rate Limiting is a defense against DoS (Denial of Service) attacks.

Rate Limiting rules allow to limit traffic coming from specified sources, or sent to specified destination and using specific services.

Rate limiting is enforced by SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. on these:

• Bandwidth and packet rate

• Number of concurrent connections

• Connection rate

For additional information, see sk112454.

Use these commands to configure Rate Limiting for DoS Mitigation:

• "fw sam_policy" and "fw6 sam_policy" (see fw sam_policy - you must use the parameter "quota <Quota Filter Arguments>")

• "fwaccel dos config" and "fwaccel6 dos config" (see fwaccel dos config)

Note - You cannot use the Rate Limiting feature for specific URLs. This feature applies to all traffic.

Monitoring Events Related to DoS Mitigation

To see some information related to DoS Mitigation, run these commands:

Command	Description
fwaccel stats fwaccel6 stats	Shows all SecureXL statistics (for IPv4 and IPv6 kernel modules). See: fwaccel stats The /proc/ppk/ and /proc/ppk6/ entries
fwaccel stats -d or cat /proc/ppk/drop_statistics fwaccel6 stats -d or cat /proc/ppk6/drop_statistics	Shows SecureXL drop statistics only (for IPv4 and IPv6 kernel modules). See: fwaccel stats The /proc/ppk/ and /proc/ppk6/ entries fw sam_policy
fw samp get -l |\ grep '^<[0-9a-f,]*>$' |\ xargs fwaccel dos rate get fw samp get -l |\ grep '^<[0-9a-f,]*>$' | xargs fwaccel6 dos rate get	Shows details of active policy rules in long format (for IPv4 and IPv6 kernel modules). See fw sam_policy get.
cat /proc/ppk/rlc	Shows: Total drop packets Total drop bytes See The /proc/ppk/ and /proc/ppk6/ entries.

In addition, see SecureXL Debug.