Documente Academic
Documente Profesional
Documente Cultură
This section describes how the ProxySG prevents attacks designed to prevent Web services to users.
"About Attack Detection" "Configuring Attack-Detection Mode for the Client" on page 1322 "Configuring Attack-Detection Mode for a Server or Server Group" on page 1327
1321
client limits enabled: false client interval: 20 minutes block-action: drop (for each client) connection-limit: 100 (for each client) failure-limit: 50 (for each client) unblock-time: unlimited warning-limit: 10 (for each client)
Remember that enable/disable limits and interval affect all clients. The values cannot be changed for individual clients. Other limits can be modified on a perclient basis.
Note: If you edit an existing clients limits to a smaller value, the new value only
applies to new connections to that client. For example, if the old value was 10 simultaneous connections and the new value is 5, existing connections above 5 are not dropped.
SGOS#(config client) enable-limits | disable-limits SGOS#(config client) interval minutes SGOS#(config client) block ip_address [minutes] | unblock ip_address SGOS#(config client) default block-action drop | send-tcp-rst SGOS#(config client) default connection-limit integer_between_1_and_65535 SGOS#(config client) default failure-limit integer_between_1_and_500 SGOS#(config client) default unblock-time minutes_between_10_and_1440 SGOS#(config client) default warning-limit integer_between_1_and_100
1322
Table 691
enable-limits | disable-limits
Toggles between true (enabled) and false (disabled). The default is false. This is a global setting and cannot be modified for individual clients.
integer
interval
Indicates the amount of time, in multiples of 10 minutes, that client activity is monitored. The default is 20. This is a global setting and cannot be modified for individual clients. Blocks a specific IP address for the number of minutes listed. If the optional minutes argument is omitted, the client is blocked until explicitly unblocked. Unblock releases a specific IP address. Indicates the behavior when clients are at the maximum number of connections or exceed the warning limit: drop the connections that are over the limit or send TCP RST for connections over the limit. The default is drop. This limit can be modified on a per-client basis. Indicates the number of simultaneous connections between 1 and 65535. The default is 100. This limit can be modified on a per-client basis. Indicates the maximum number of failed requests a client is allowed before the proxy starts issuing warnings. Default is 50. This limit can be modified on a per-client basis. Failed requests (with regard to attack detection) are defined as the following: Connection failures (DNS lookup errors, connection refused, connection timed out, host unreachable, and so on) HTTP response codes returned to the client: 501 (Not Implemented), 502 (BadGateway), 503 (Service Unavailable), or 504 (Gateway Timeout)
block | unblock
ip_address [minutes]
default blockaction
drop | sendtcp-rst
default connection-limit
integer
default failurelimit
integer
If the appliance serves an exception page to the client instead of serving a page returned by the server, the response code associated with the exception is used to decide if it was a failure or not. If the connection succeeds and returns a 302, 404, 500, and so on, it is not counted as a failure for attack detection.
default unblocktime minutes
Indicates the amount of time a client is blocked at the network level when the client-warning-limit is exceeded. Time must be a multiple of 10 minutes, up to a maximum of 1440. By default, the client is blocked until explicitly unblocked. This limit can be modified on a per-client basis.
1323
Table 691
default warninglimit
Indicates the number of warnings sent to the client before the client is blocked at the network level and the administrator is notified. The default is 10; the maximum is 100. This limit can be modified on a per-client basis.
Client attack-detection configuration is used to control the behavior of virusinfected machines behind the ProxySG. 1. Verify the system is in the attack-detection client submode.
SGOS#(config) attack-detection SGOS#(config attack-detection) client SGOS#(config client)
2. Create a client.
SGOS#(config client) create {ip_address | ip_and_length}
block-action
Indicates the behavior when the client is at the maximum number of connections: drop the connections that are over the limit or send TCP RST for the connection over the limit. The default is drop. Indicates the number of simultaneous connections between 1 and 65535. The default is 100. Indicates the behavior when the specified client is at the maximum number of connections: drop the connections that are over the limit or send TCP RST for the connection over the limit. The default is 50. Indicates the amount of time a client is locked out at the network level when the client-warning-limit is exceeded. Time must be a multiple of 10 minutes, up to a maximum of 1440. By default, the client is blocked until explicitly unblocked.
connection-limit failure-limit
integer integer
unblock-time
minutes
1324
warning-limit
Indicates the number of warnings sent to the client before the client is locked out at the network level and the administrator is notified. The default is 10; the maximum is 100.
1325
Note: There are three thresholds that dictate when a client is blocked: Number of connections Number of failures Number of warnings
A client displays as blocked when it exceeds the number of failure or the number of warnings, but not when it exceeds the number of connections.
To view client statistics:
SGOS#(config client) view statistics Client IP Failure Count 10.9.44.72 1 Warning Count 0
1326