Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
We are having an issue with one our websites.
Last time we see that this website is getting slow and slower, I did check the UTM logs and I can see that from certain country and different IP address they try to download the pictures of this website. Until now I just block each IP manually but now this getting out of the hand and I cannot keep blocking them.
Downloading picture from the website is allowed but 70 get request in one second from single IP is not right.
Is there a setting in IPS that we can use to put a limit on how many get request an IP can send to an webserver?
Have you configured it using WAF or DNAT? You can set Anti-DoS/Flooding under Network Protection > Intrusion Prevention > Anti-DoS/Flooding.
In reply to Jaydeep:
We are using WAF for this website. our Anti-DoS/Flooding is at the default. any idea to what should be set to just allow the normal rate of downloading in 1 second?
In reply to AreshAreshi:
I'd like to quote from the UTM online help:Note – It is important to enter reasonable values here, for if you set the rate too high, your webserver, for instance, might fail because it cannot deal with such an amount of SYN (TCP) packets. On the other hand, if you set the rate too low, your gateway might show some unpredictable behavior by blocking regular SYN (TCP) requests. Reasonable settings for every system heavily depend on your hardware. Therefore, replace the default values by numbers that are appropriate for your system.
Ideally, you should calculate this value for your webserver based on the average packet rate or at the rate you would like to control the traffic. If you select the mode as Source and destination addresses or Source address only, it will not impact any other connections going to the webserver apart from the source IP going above the specified limit.
Thanks again for your reply,
maybe you can help us with this,
we see this entery in the WAF log and repeted 70 times each time for a different .jpg files.
2019:12:19-09:38:50 securitysrv1-1 httpd: id="0299" srcip="18.104.22.168" localip="62.XX.XX.184" size="0" user="-" host="22.214.171.124" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1318701" url="/cc/imageproxy.ashx" server="www.mywebURL.fr" port="80" query="?server=10.0.10.19&port=17564&filename=images%2fIFN-53179661_files/17/0_0.jpg"
Does setting the the SYN(TCP) to lower number would stop this as well? or we cannot stop this at the UTM level? we want only IP's that behaving as above to be allowed to do so.
If the logs entry is repeated but it shows a different image every time, it should not be a concern. Multiple logs will be generated if your page contains multiple images. It will log the request for each individual content that the browser will request to present the entire page to the client screen.
Thanks for your reply,
you are right, for each image in the website pages we see a different entry, but in the case of problematic IP's we are sure they are downloading the images.we see sometines 80 GET requests to get an image and they download a single image in different segments
Does the option "Use TCP SYN Flood Protection" has any impact on the issue that we have? I mean to set this number from default 100, 200 to smaller number would stop the above issue?
This should definitely help. But I can not comment on what values you should keep. PLEASE BE AWARE that if you put a lower value, you might block/drop legitimate connections.
To employ TCP SYN flood protection, enable "Use TCP SYN Flood Protection"
Mode: The following modes are available:
Logging: This option lets you select the log level. The following levels are available:
Note: It is important to enter reasonable values here, for if you set the rate too high, your web server, for instance, might fail because it cannot deal with such an amount of SYN (TCP) packets. On the other hand, if you set the rate too low, your firewall might show some unpredictable behavior by blocking regular SYN (TCP) requests. Reasonable settings for every system heavily depend on your hardware. Therefore, replace the default values by numbers that are appropriate for your system. Click Apply and your settings will be saved.
Then this is the only option that we have, am I right?
Yes, it is the only option.