Contents
DoS Protection Rules Configuration
The DoS protection rules configuration is organized into two tabs: Global and Farms.
Global Settings
The Global Settings tab allows you to configure the following global settings for each DoS rule:
Name: A descriptive name for the rule set.
Rule: The type of rule that defines the behaviour of the connections. The available rule types are:
- Connection limit per second
- Total connections limit per source IP
- Check bogus TCP flags
- Limit RST requests per second
- Connection Limit per Second
Connection limit per second
These are the additional settings tailored to the Connection limit per second rule:
- Total connections per source IP: The number of new connections that can be established from a single source IP address per second. This option acts like a soft limit.
- Limit Burst: The maximum number of new connections that can be established from a single source IP address before the soft limit is applied. This option acts like a hard limit.
Total Connections Limit per Source IP
The Total connections limit per source IP rule limits the total number of concurrent connections that can be established from a single source IP address. There is no global limit for all the farms, to use this rule the system administrator has to decide which number of concurrency per source IP is out of normal.
Check Bogus TCP Flags
This rule checks TCP packets received in a communication, if the TCP packet is not the expected in the communication process then the system discard the packet. This DoS rule works as a TCP packet flow checker.
Limit RST Request per Second
The following settings are additional parameters available for the Limit RST request per second rule:
- Limit RST request per source IP: The number of RST (reset) packets that can be sent from a single source IP address within a specified period of time. This option acts like a soft limit.
- Limit Burst: The maximum number of RST packets that can be sent from a single source IP address before the soft limit is applied. This option acts like a hard limit.
This rule checks the number of RESET packages received by the same source IP, in case the RESET packet reaches the configured limit then the following packets are rejected. This rule protects against RESET flood attacks.
Farms
The Farms’ DoS Rules Settings tab allows you to assign DoS rules to one or more farms.
To assign or remove a rule from all farms:
- Use the Less than or Greater than double arrow buttons.
To assign or remove a rule from one or more farms:
- Select the farms and then click the Less than or Greater than single arrow button.
Finally, take into account that there is not a general specific configuration for all the farms, for that reason the system allows you to configure DoS Rules with different parameters and apply each rule for a particular farm.
Next Article: IPDS | RBL