| Home Prev |  cOS Core 14.00.15 Administration Guide
|
Next |
|---|
Overview
A Threshold Rule configuration object provides a means of detecting excessive connection activity, as well as reacting to it. An example of such abnormal activity might be an infected internal opening repeated connections to external IP addresses. Alternatively, an external computer might try opening excessive numbers of connections to a website's public IP address. Note that the term "connection" in this context refers to all types of connections tracked by the cOS Core state engine, such as TCP, UDP or ICMP.Threshold Actions
A threshold rule is like other security rules found in cOS Core. A filtering combination of source/destination network/interface can be specified along with a service, such as HTTP. Each Threshold Rule object can have one or more Threshold Action objects added to it as children and these actions specify the triggering threshold quantities and what to do when the quantity is exceeded.A Threshold Action object has the following key properties:
Action
This is the response of the rule when the limit is exceeded. Either the option Audit or Protect can be selected. These options are explained in more detail below.
Group By
The rule can be either Host or Network based. These options are explained below.
Threshold
This is the numerical limit which must be exceeded for the action to be triggered.
Threshold Type
A rule can be specified to either limit the number of connections per second or limit the total number of concurrent connections.
Connection rate Limiting allows an administrator to put a limit on the number of new connections being opened per second.
Total connection limiting allows the administrator to put a limit on the total number of connections opened. This function is extremely useful when NAT pools are used since peer-to-peer applications can require large numbers of connections.
The Group By Setting
The two groupings allowed for this property are the following:Host Based
The threshold is applied separately to connections from different IP addresses.
Network Based
The threshold is applied to all connections matching the rules as a group.
Rule Actions
When a Threshold Rule is triggered, one of the following two responses is possible:Audit
Leave the connection intact but log the event.
Protect
Drop the triggering connection.
Logging would be the preferred option if the appropriate triggering value cannot be determined beforehand. Multiple actions for a given rule might consist of Audit for a given threshold while the action might become Protect for a higher threshold.
Multiple Triggered Actions
When a rule is triggered then cOS Core will perform the associated rule actions that match the condition that has occurred. If more than one action matches the condition then those matching actions are applied in the order they appear in the user interface.If several actions that have the same combination of Type and Grouping (see above for the definition of these terms) are triggered at the same time, only the action with the highest threshold value will be logged.
Exempted Connections
It should be noted that some advanced settings, known as Before Rules settings, can exempt certain types of connections for remote management from examination by the cOS Core IP rule set if they are enabled. These Before Rules settings will also exempt the connections from threshold rules if they are enabled.Threshold Rules and ZoneDefense
Threshold rules are used in the Clavister ZoneDefense feature to block the source of excessive connection attempts from internal hosts. More information on this feature can be found in Section 7.11, ZoneDefense. If the Protect option is used, Threshold rules can be configured so that the source that triggered the rule is added automatically to a Blacklist of IP addresses or networks. If several Protect actions with blacklisting enabled are triggered at the same time, only the first triggered blacklisting action will be executed by cOS Core.A host based action with blacklisting enabled will blacklist a single host when triggered. A network based action with blacklisting enabled will blacklist the source network associated with the rule. If the Threshold Rule is linked to a service then it is possible to block only that service.
When blacklisting is selected, the administrator can choose to leave pre-existing connections from the triggering source unaffected, or can alternatively choose to have the connections dropped by cOS Core. The length of time, in seconds, for which the source is blacklisted can also be set.
Threshold Rules and Whitelisting
One issue that often comes up with whitelisting is how to deal with threshold rules that continue to drop traffic from IP addresses that are whitelisted. This topic is discussed in an article in the Clavister Knowledge Base at the following link:https://kb.clavister.com/354847558
See also Section 7.10, Blacklisting/Whitelisting IP Addresses.
Example 7.9. Creating a Threshold Rule
This example considers the case of HTTP connection requests destined for an internal web server, arriving at the wan interface. A Threshold Rule object will be created that will drop all connections from a single source IP if the total new connection rate from the IP exceeds 100 per second.
In addition, after the threshold rule is triggered, all HTTP traffic from the triggering source IP will be blacklisted for 5 minutes (300 seconds).
Here, it is assumed that a SAT rule also exists which translates the destination address of wan_ip to the IP address of the protected webserver. The SAT rule definition is not described in the example.
Command-Line Interface
First create the threshold rule:
Device:/> add ThresholdRule
SourceInterface=wan
SourceNetwork=all-nets
DestinationInterface=core
DestinationNetwork=wan_ip
Service=http-all
Name=limit_dmz
Next, change the context to be the new rule and add a threshold action to it:
Device:/> cc ThresholdRule limit_dmz
Device:/1(limit_dmz)> add ThresholdAction
Threshold=100
ThresholdUnit=Conns
Action=Protect
GroupBy=SourceIP
BlackList=Yes
BlackListBlockOnlyService=Yes
BlackListTimeToBlock=300
BlackListIgnoreEstablished=No
InControl
Follow similar steps to those used for the Web Interface below.
Web Interface
First create the threshold rule:
Next, add the threshold action to the rule:
