Rate Limiting for DoS Mitigation

Introduction

DoS / Rate Limiting is a defense against DoS (Denial-of-Service) attacks.

DoS / Rate Limiting includes these features:

  • Rate Limiting Rules
  • IP Deny List
  • Block IP Fragments
  • Block IP Options
  • Penalty Box

In general, these features solve separate problems and are managed / configured separately. However, be aware that there are some global settings that will affect the behavior of multiple features simultaneously.

To maximize performance, most of the DoS / Rate Limiting policy is enforced as early as possible in the packet flow. For most features this means it is enforced in SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway.. Connection-based policy is the single exception. This policy is enforced by the Firewall Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., because this is where the related connection state is stored and managed.

Important:

Monitoring Events Related to DoS Mitigation on a Security Gateway / ClusterXL

To see some information related to DoS Mitigation, run these commands:

Command in Gaia Clish or the Expert mode

Description

fwaccel stats

fwaccel6 stats

Shows all SecureXL statistics (for IPv4 and IPv6 kernel modules).

See:

fwaccel stats -d

or

cat /proc/ppk/drop_statistics

fwaccel6 stats -d

or

cat /proc/ppk6/drop_statistics

Shows SecureXL drop statistics only (for IPv4 and IPv6 kernel modules).

See:

fw samp get -l |\
grep '^<[0-9a-f,]*>$' |\
xargs fwaccel dos rate get

fw samp get -l |\
grep '^<[0-9a-f,]*>$' |
xargs fwaccel6 dos rate get

Shows details of active policy rules in long format (for IPv4 and IPv6 kernel modules).

See fw sam_policy get.

cat /proc/ppk/rlc

Shows:

  • Total drop packets

  • Total drop bytes

See The /proc/ppk/ and /proc/ppk6/ entries.

Monitoring Events Related to DoS Mitigation on Scalable Platforms

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

To see some information related to DoS Mitigation, run these commands:

Command in Gaia gClish

Command in the Expert mode

Instructions

fwaccel stats

fwaccel6 stats

g_fwaccel stats

g_fwaccel6 stats

Shows all SecureXL statistics (for IPv4 and IPv6 kernel modules).

See:

fwaccel stats -d

fwaccel6 stats -d

g_fwaccel stats -d

or

cat /proc/ppk/drop_statistics

g_fwaccel6 stats -d

or

cat /proc/ppk6/drop_statistics

Shows SecureXL drop statistics only (for IPv4 and IPv6 kernel modules).

See:

fw samp get -l |\
grep '^<[0-9a-f,]*>$' |\
xargs fwaccel dos rate get

fw samp get -l |\
grep '^<[0-9a-f,]*>$' |
xargs fwaccel6 dos rate get

g_fw samp get -l |\
grep '^<[0-9a-f,]*>$' |\
xargs fwaccel dos rate get

g_fw samp get -l |\
grep '^<[0-9a-f,]*>$' |
xargs fwaccel6 dos rate get

Shows details of active policy rules in long format (for IPv4 and IPv6 kernel modules).

See fw sam_policy get.

N / A

cat /proc/ppk/rlc

Shows:

  • Total drop packets

  • Total drop bytes

See The /proc/ppk/ and /proc/ppk6/ entries.

Note - In addition, see SecureXL Debug.