IPS not blocking

Hi AreshAreshi 

Have you configured it using WAF or DNAT? You can set Anti-DoS/Flooding under Network Protection > Intrusion Prevention > Anti-DoS/Flooding.

Hi Jay,

We are using WAF for this website. our Anti-DoS/Flooding is at the default. any idea to what should be set to just allow the normal rate of downloading in 1 second?

Thanks

Hi AreshAreshi 

I'd like to quote from the UTM online help:

Note – It is important to enter reasonable values here, for if you set the rate too high, your webserver, for instance, might fail because it cannot deal with such an amount of SYN (TCP) packets. On the other hand, if you set the rate too low, your gateway might show some unpredictable behavior by blocking regular SYN (TCP) requests. Reasonable settings for every system heavily depend on your hardware. Therefore, replace the default values by numbers that are appropriate for your system.

Ideally, you should calculate this value for your webserver based on the average packet rate or at the rate you would like to control the traffic. If you select the mode as Source and destination addresses or Source address only, it will not impact any other connections going to the webserver apart from the source IP going above the specified limit.

Hi jay,

Thanks again for your reply,

maybe you can help us with this,

we see this entery in the WAF log and repeted 70 times each time for a different .jpg files.

2019:12:19-09:38:50 securitysrv1-1 httpd: id="0299" srcip="42.56.33.53" localip="62.XX.XX.184" size="0" user="-" host="42.56.33.53" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1318701" url="/cc/imageproxy.ashx" server="www.mywebURL.fr" port="80" query="?server=10.0.10.19&port=17564&filename=images%2fIFN-53179661_files/17/0_0.jpg"

Does setting the the SYN(TCP) to lower number would stop this as well? or we cannot stop this at the UTM level? we want only IP's that behaving as above to be allowed to do so.

Thanks

Hi AreshAreshi 

If the logs entry is repeated but it shows a different image every time, it should not be a concern. Multiple logs will be generated if your page contains multiple images. It will log the request for each individual content that the browser will request to present the entire page to the client screen.

Hi Jay,

Thanks for your reply,

you are right, for each image in the website pages we see a different entry, but in the case of problematic IP's we are sure they are downloading the images.we see sometines 80 GET requests to get an image and they download a single image in different segments

Does the option "Use TCP SYN Flood Protection" has any impact on the issue that we have? I mean to set this number from default 100, 200 to smaller number would stop the above issue?

Thanks

This should definitely help. But I can not comment on what values you should keep. PLEASE BE AWARE that if you put a lower value, you might block/drop legitimate connections.

TCP SYN Flood Protection

To employ TCP SYN flood protection, enable "Use TCP SYN Flood Protection" 

 Mode: The following modes are available: 

•  Both source and destination addresses: Select this option if you want to drop SYN packets that match both source and destination IP address. First, SYN packets are filtered that match the source IP address. Second, if there are still too many requests they will additionally be filtered according to the destination IP address. This mode is set as default. 
•  Destination address only: Select this option if you want to drop SYN packets according to the destination IP address only. 
• Source address only: Select this option if you want to drop SYN packets according to the source IP address only. 

Logging: This option lets you select the log level. The following levels are available: 

• Off: Select this log level if you want to turn logging completely off. 
• Limited: Selecting this log level will limit logging to five packets per second. This level is set as default. 
• Everything: Select this log level if you want verbose logging for all SYN (TCP) connection attempts. Note that SYN (TCP) flood attacks may lead to extensive logging. 
•  Source Packet Rate: Here you can specify the rate of packets per second that is allowed for source IP addresses. 
•  Destination Packet Rate: Here you can specify the rate of packets per second that is allowed for destination IP addresses. 

  Note: It is important to enter reasonable values here, for if you set the rate too high, your web server, for instance, might fail because it cannot deal with such an amount of SYN (TCP) packets. On the other hand, if you set the rate too low, your firewall might show some unpredictable behavior by blocking regular SYN (TCP) requests. Reasonable settings for every system heavily depend on your hardware. Therefore, replace the default values by numbers that are appropriate for your system. Click Apply and your settings will be saved.

Then this is the only option that we have, am I right?

Yes, it is the only option.