10-22-2008 05:11 PM - edited 03-09-2019 09:43 PM
Hi,
Extreme newbie here with CSA...
We have problems with excessive connections to our web server - The web server guy says the box gets brought to its knees with the sheer volume.
So we'd like to set a threshold, and block connection to IIS for IPs that exceed the threshold.
I was looking at the Connection Rate Limit type rule, trying to figure out if that's what it does, or if I could create a new Connection Rate Limit rule that did this.
Suppose the defaults:
Applications ............ = Apache... and IIS... (built in definitions
Attempt to act .......... = server
Net Services ............ = $UDP and $TCP (built in)
Communicating with ...... = specific
hosts having addresses .. = all
local interfaces ........ = all
over limit .............. = 100 (connections)
in ...................... = 5 (minutes)
Does that cause connection #101 and up from IP address 10.10.10.5 to ANY port to be denied?
Or, connection #101 and up from IP address 10.10.10.5 to any GIVEN port to be denied?
Would people mostly confine this to port 80? Or do people generally just go with the default ports?
Any thoughts/suggestions/direction most sincerely appreciated...
Linnea
10-23-2008 02:05 PM
If these connections are from specific hosts (I'd check the hosts if you can) the default rule for IIS and Apache should suffice.
The rule causes any subsequent connections from specific hosts to IIS and Apache above the specified rate to be denied.
It will still allow connections from other hosts.
If these are from different hosts, you'd want to create an allow rule that only allows up to a specific number of connections from all hosts.
Tom
10-24-2008 09:27 AM
Hey...
Thanks. Two more questions -
1. If you limit connections per minute from all hosts, legitimate traffic could be blocked - Right?
2. We're not sure if the traffic condition we're trying to prevent actually produces individual connections (I've got the connection rate limit rule in test mode now, so we should get some info that way) - The web server guy says the problem is characterized by 100s or more GET requests from a specific IP address. Is one of the rule types capable of identifying a rate of GETs from a specific IP?
(I'll be looking at the rules, but if anyone can put me on the right track, I'd appreciate it...)
Linnea
10-24-2008 11:12 AM
It sounds like the default rule should work for you.
To answer your questions:
1. Yes
2. The default rule should track all requests from specific hosts and deny any above the limit you set.
Other hosts should not be affected.
You could create another rule that tracks requests from that specific IP address.
Hopefully it's one of yours and you can deal with it's problem.
HTH
Tom
10-24-2008 04:42 PM
OK,
I read the default rule as blocking connections - I think I've seen multiple GETs in a single stream, and I was understanding "connection" to be synonomous with stream. If a host could pound you with GETs in a single connection, it seemed you'd need some other rule type.
It's not one of ours - It's from outside, and the behaviour hops all over IP addresses, from Eastern Europe, Asia, Australia, etc.
Anyway, seems you are saying that if the GETs are coming fast and furious, there will also be connections coming fast and furious, so connection rate limit will help. Right?
Linnea
10-25-2008 09:51 PM
A connection rate limit should help if connections are the problem.
I'm not a web guru by any stretch but
multple GETS should not affect server performance unless they are associated with a web app or caching.
If that's case, the web admins may need to look at how the site process those requests.
Tom
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: