IPS not blocking

Hi Guys,

We are having an issue with one our websites.

Last time we see that this website is getting slow and slower, I did check the UTM logs and I can see that from certain country and different IP address they try to download the pictures of this website. Until now I just block each IP manually but now this getting out of the hand and I cannot keep blocking them.

Downloading picture from the website is allowed but 70 get request in one second from single IP is not right.

Is there a setting in IPS that we can use to put a limit on how many get request an IP can send to an webserver?

Thanks

  • Hi  

    Have you configured it using WAF or DNAT? You can set Anti-DoS/Flooding under Network Protection > Intrusion Prevention > Anti-DoS/Flooding.

  • In reply to Jaydeep:

    Hi Jay,

    We are using WAF for this website. our Anti-DoS/Flooding is at the default. any idea to what should be set to just allow the normal rate of downloading in 1 second?

    Thanks

  • In reply to AreshAreshi:

    Hi  

    I'd like to quote from the UTM online help:

    Note – It is important to enter reasonable values here, for if you set the rate too high, your webserver, for instance, might fail because it cannot deal with such an amount of SYN (TCP) packets. On the other hand, if you set the rate too low, your gateway might show some unpredictable behavior by blocking regular SYN (TCP) requests. Reasonable settings for every system heavily depend on your hardware. Therefore, replace the default values by numbers that are appropriate for your system.

    Ideally, you should calculate this value for your webserver based on the average packet rate or at the rate you would like to control the traffic. If you select the mode as Source and destination addresses or Source address only, it will not impact any other connections going to the webserver apart from the source IP going above the specified limit.

  • In reply to Jaydeep:

    Hi jay,

    Thanks again for your reply,

    maybe you can help us with this,

    we see this entery in the WAF log and repeted 70 times each time for a different .jpg files.

    2019:12:19-09:38:50 securitysrv1-1 httpd: id="0299" srcip="42.56.33.53" localip="62.XX.XX.184" size="0" user="-" host="42.56.33.53" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1318701" url="/cc/imageproxy.ashx" server="www.mywebURL.fr" port="80" query="?server=10.0.10.19&port=17564&filename=images%2fIFN-53179661_files/17/0_0.jpg"

    Does setting the the SYN(TCP) to lower number would stop this as well? or we cannot stop this at the UTM level? we want only IP's that behaving as above to be allowed to do so.

    Thanks

  • In reply to AreshAreshi:

    Hi  

    If the logs entry is repeated but it shows a different image every time, it should not be a concern. Multiple logs will be generated if your page contains multiple images. It will log the request for each individual content that the browser will request to present the entire page to the client screen.

  • In reply to Jaydeep:

    Hi Jay,

    Thanks for your reply,

    you are right, for each image in the website pages we see a different entry, but in the case of problematic IP's we are sure they are downloading the images.we see sometines 80 GET requests to get an image and they download a single image in different segments

    Does the option "Use TCP SYN Flood Protection" has any impact on the issue that we have? I mean to set this number from default 100, 200 to smaller number would stop the above issue?

    Thanks

  • In reply to AreshAreshi:

    This should definitely help. But I can not comment on what values you should keep. PLEASE BE AWARE that if you put a lower value, you might block/drop legitimate connections.

    TCP SYN Flood Protection

    To employ TCP SYN flood protection, enable "Use TCP SYN Flood Protection" 

     Mode: The following modes are available: 

    •  Both source and destination addresses: Select this option if you want to drop SYN packets that match both source and destination IP address. First, SYN packets are filtered that match the source IP address. Second, if there are still too many requests they will additionally be filtered according to the destination IP address. This mode is set as default. 
    •  Destination address only: Select this option if you want to drop SYN packets according to the destination IP address only. 
    • Source address only: Select this option if you want to drop SYN packets according to the source IP address only. 

    Logging: This option lets you select the log level. The following levels are available: 

    • Off: Select this log level if you want to turn logging completely off. 
    • Limited: Selecting this log level will limit logging to five packets per second. This level is set as default. 
    • Everything: Select this log level if you want verbose logging for all SYN (TCP) connection attempts. Note that SYN (TCP) flood attacks may lead to extensive logging. 
    •  Source Packet Rate: Here you can specify the rate of packets per second that is allowed for source IP addresses. 
    •  Destination Packet Rate: Here you can specify the rate of packets per second that is allowed for destination IP addresses. 

      Note: It is important to enter reasonable values here, for if you set the rate too high, your web server, for instance, might fail because it cannot deal with such an amount of SYN (TCP) packets. On the other hand, if you set the rate too low, your firewall might show some unpredictable behavior by blocking regular SYN (TCP) requests. Reasonable settings for every system heavily depend on your hardware. Therefore, replace the default values by numbers that are appropriate for your system. Click Apply and your settings will be saved.

  • In reply to Jaydeep:

    Then this is the only option that we have, am I right?

  • In reply to AreshAreshi:

    Yes, it is the only option.