Managing Denial of Service Prevention

Overview

A denial of service (or "DoS") attack subjects an internet-facing endpoint to a large number of connection attempts, ultimately overwhelming that endpoint's ability to respond and preventing it from accepting legitimate connections.

Micro Edge 6.1 enables the admin to define a threshold for connections and automatically block any host which exceeds that threshold, preventing outages by protecting the network from TCP SYN flooding and similar types of network attacks. 

Configuring Denial of Service Prevention

In the Micro Edge local UI, go to Settings > Firewall > Denial of Service.

The toggle at the top of the page enables and disables DoS Prevention. When this module is disabled, the thresholds specified here are ignored.

Session Limits

The Session Limits section determines the thresholds at which Denial of Service Prevention will trigger.

Denial of Service Prevention monitors three types of connections: TCP sessions, UDP sessions, and ICMP sessions. Each has its own threshold, expressed in sessions per second. For example, a TCP Sessions value of 2000 will be matched any time a host creates more than 2000 TCP sessions per second.

The All Sessions attribute combines all three session types and supersedes the other settings if it is set to a lower value. E.g., if All Sessions is set to 1000, then any combination of TCP, UDP, and/or ICMP sessions which exceeds 1000 will trigger Denial of Service Prevention regardless of the individual values set for those session types.

A higher value is less sensitive, requiring more sessions to trigger. A lower value is more sensitive.

Source and Destination hosts

Source host max number of sessions refers to a host which has created the specified number of sessions. 

Destination host max number of sessions refers to a host which receives the specified number of sessions.

In both cases, directionality is not important: a host creating an excessive number of sessions can be either inside or outside of the network. All that matters is that it creates the requisite number of connections.

Block Actions

When the above thresholds are met, Denial of Service Prevention will automatically block the offending host(s), refusing traffic to or from that host.

The Block Duration field determines how long, in seconds, the offending host will be unable to pass traffic through Micro Edge. Note that a value of 0 seconds disables the blocking action.

The Remove Active Sessions checkbox determines whether existing sessions which existed before the threshold was met will be stopped and removed from the sessions table. With this option disabled, any existing sessions are allowed to continue as normal, but any future sessions will be subject to blocking.

Configuring a Micro Edge Template with Denial of Service Prevention

ETM Dashboard enables the admin to create a Micro Edge Template which can be applied to multiple Micro Edge deployments. This option is found in the Create New dialogue under Global > Denial of Service. 

For more information on creating and applying Templates, please see Managing Micro Edge Policies in ETM Dashboard: Templates