Chapter 69: Preventing Denial of Service Attacks

This section describes how the ProxySG prevents attacks designed to prevent Web services to users.

Topics in this Section

This section includes the following topics:

"About Attack Detection" "Configuring Attack-Detection Mode for the Client" on page 1322 "Configuring Attack-Detection Mode for a Server or Server Group" on page 1327

About Attack Detection

The SGOS software can reduce the effects of distributed denial of service (DDoS) attacks and port scanning, two of the most common virus infections. A DDoS attack occurs when a pool of machines that have been infected with a DDoS-type of virus attack a specific Web site. As the attack progresses, the target host shows decreased responsiveness and often stops responding. Legitimate HTTP traffic is unable to proceed because the infected system is waiting for a response from the target host. Port scanning involves viruses attempting to self-propagate to other machines by arbitrarily attempting to connect to other hosts on the Internet. If the randomly selected host is unavailable or behind a firewall or does not exist, the infected system continues to wait for a response, thus denying legitimate HTTP traffic. The ProxySG prevents attacks by limiting the number of simultaneous TCP connections from each client IP address and either does not respond to connection attempts from a client already at this limit or resets the connection. It also limits connections to servers known to be overloaded. If the ProxySG starts seeing a large number of HTTP errors, and that number exceeds the configured error limit, subsequent requests are blocked and the proxy returns a warning page. If the requests continue despite the warnings, and the rate exceeds the warning limit, the client is blocked at the TCP level. You can configure attack detection for both clients and servers or server groups, such as http://www.bluecoat.com. The client attack-detection configuration is used to control the behavior of virus-infected machines behind the ProxySG. The server attack-detection configuration is used when an administrator knows ahead of time that a virus is set to attack a specific host. This feature is only available through the CLI. You cannot use the Management Console to enable attack detection.

1321

SGOS 6.3 Administration Guide

Configuring Attack-Detection Mode for the Client

To enter attack-detection mode for the client:

From the (config) prompt, enter the following commands:

SGOS#(config) attack-detection SGOS#(config attack-detection) client

The prompt changes to:

SGOS#(config client)

Changing Global Settings

The following defaults are global settings, used if a client does not have specific limits set. They do not need to be changed for each IP address/subnet if they already suit your environment:

client limits enabled: false client interval: 20 minutes block-action: drop (for each client) connection-limit: 100 (for each client) failure-limit: 50 (for each client) unblock-time: unlimited warning-limit: 10 (for each client)

To change the global defaults:

Remember that enable/disable limits and interval affect all clients. The values cannot be changed for individual clients. Other limits can be modified on a perclient basis.
Note: If you edit an existing clients limits to a smaller value, the new value only

applies to new connections to that client. For example, if the old value was 10 simultaneous connections and the new value is 5, existing connections above 5 are not dropped.
SGOS#(config client) enable-limits | disable-limits SGOS#(config client) interval minutes SGOS#(config client) block ip_address [minutes] | unblock ip_address SGOS#(config client) default block-action drop | send-tcp-rst SGOS#(config client) default connection-limit integer_between_1_and_65535 SGOS#(config client) default failure-limit integer_between_1_and_500 SGOS#(config client) default unblock-time minutes_between_10_and_1440 SGOS#(config client) default warning-limit integer_between_1_and_100

1322

Chapter 69: Preventing Denial of Service Attacks

Table 691

Changing Global Defaults

enable-limits | disable-limits

Toggles between true (enabled) and false (disabled). The default is false. This is a global setting and cannot be modified for individual clients.
integer

interval

Indicates the amount of time, in multiples of 10 minutes, that client activity is monitored. The default is 20. This is a global setting and cannot be modified for individual clients. Blocks a specific IP address for the number of minutes listed. If the optional minutes argument is omitted, the client is blocked until explicitly unblocked. Unblock releases a specific IP address. Indicates the behavior when clients are at the maximum number of connections or exceed the warning limit: drop the connections that are over the limit or send TCP RST for connections over the limit. The default is drop. This limit can be modified on a per-client basis. Indicates the number of simultaneous connections between 1 and 65535. The default is 100. This limit can be modified on a per-client basis. Indicates the maximum number of failed requests a client is allowed before the proxy starts issuing warnings. Default is 50. This limit can be modified on a per-client basis. Failed requests (with regard to attack detection) are defined as the following: Connection failures (DNS lookup errors, connection refused, connection timed out, host unreachable, and so on) HTTP response codes returned to the client: 501 (Not Implemented), 502 (BadGateway), 503 (Service Unavailable), or 504 (Gateway Timeout)

block | unblock

ip_address [minutes]

default blockaction

drop | sendtcp-rst

default connection-limit

integer

default failurelimit

integer

If the appliance serves an exception page to the client instead of serving a page returned by the server, the response code associated with the exception is used to decide if it was a failure or not. If the connection succeeds and returns a 302, 404, 500, and so on, it is not counted as a failure for attack detection.
default unblocktime minutes

Indicates the amount of time a client is blocked at the network level when the client-warning-limit is exceeded. Time must be a multiple of 10 minutes, up to a maximum of 1440. By default, the client is blocked until explicitly unblocked. This limit can be modified on a per-client basis.

1323

SGOS 6.3 Administration Guide

Table 691

Changing Global Defaults (Continued) integer

default warninglimit

Indicates the number of warnings sent to the client before the client is blocked at the network level and the administrator is notified. The default is 10; the maximum is 100. This limit can be modified on a per-client basis.

To create and edit a client IP address:

Client attack-detection configuration is used to control the behavior of virusinfected machines behind the ProxySG. 1. Verify the system is in the attack-detection client submode.
SGOS#(config) attack-detection SGOS#(config attack-detection) client SGOS#(config client)

2. Create a client.
SGOS#(config client) create {ip_address | ip_and_length}

3. Move to edit client submode.

SGOS#(config client) edit client_ip_address

The prompt changes to:

SGOS#(config client ip_address)

4. Change the client limits as necessary.

SGOS#(config client ip_address) SGOS#(config client ip_address) integer_between_1_and_65535 SGOS#(config client ip_address) integer_between_1_and_65535 SGOS#(config client ip_address) SGOS#(config client ip_address) integer_between_1_and_65535 Table 692 Changing the Client Limits drop | send-tcp-rst block-action drop | send-tcp-rst connection-limit failure-limit unblock-time minutes warning-limit

block-action

Indicates the behavior when the client is at the maximum number of connections: drop the connections that are over the limit or send TCP RST for the connection over the limit. The default is drop. Indicates the number of simultaneous connections between 1 and 65535. The default is 100. Indicates the behavior when the specified client is at the maximum number of connections: drop the connections that are over the limit or send TCP RST for the connection over the limit. The default is 50. Indicates the amount of time a client is locked out at the network level when the client-warning-limit is exceeded. Time must be a multiple of 10 minutes, up to a maximum of 1440. By default, the client is blocked until explicitly unblocked.

connection-limit failure-limit

integer integer

unblock-time

minutes

1324

Chapter 69: Preventing Denial of Service Attacks

Table 692 Changing the Client Limits (Continued) integer

warning-limit

Indicates the number of warnings sent to the client before the client is locked out at the network level and the administrator is notified. The default is 10; the maximum is 100.

To view the specified client configuration:

Enter the following command from the edit client submode:

SGOS#(config client ip_address) Client limits for 10.25.36.47: Client connection limit: Client failure limit: Client warning limit: Blocked client action: Client connection unblock time: view 700 50 10 Drop unlimited

1325

SGOS 6.3 Administration Guide

To view the configuration for all clients:

1. Exit from the edit client submode:

SGOS#(config client ip_address) exit

2. Use the following syntax to view the client configuration:

view {<Enter> | blocked | connections | statistics}

To view all settings:

SGOS#(config client) view <Enter> Client limits enabled: true Client interval: 20 minutes Default client limits: Client connection limit: 100 Client failure limit: 50 Client warning limit: 10 Blocked client action: Drop Client connection unblock time: unlimited Client limits for 10.25.36.47: Client connection limit: Client failure limit: Client warning limit: Blocked client action: Client connection unblock time: 700 50 10 Drop unlimited

To view the number of simultaneous connections to the ProxySG:

SGOS#(config client) view connections Client IP Connection Count 127.0.0.1 1 10.9.16.112 1 10.2.11.133 1

To view the number of blocked clients:

SGOS#(config client) view blocked Client Unblock time 10.11.12.13 2004-07-09 22:03:06+00:00UTC 10.9.44.73 Never

Note: There are three thresholds that dictate when a client is blocked: Number of connections Number of failures Number of warnings

A client displays as blocked when it exceeds the number of failure or the number of warnings, but not when it exceeds the number of connections.
To view client statistics:
SGOS#(config client) view statistics Client IP Failure Count 10.9.44.72 1 Warning Count 0

To disable attack-detection mode for all clients:

SGOS#(config client) disable-limits

1326