how to use Connection Rate Limit rule type...

linnea.wren · ‎10-22-2008

Hi,

Extreme newbie here with CSA...

We have problems with excessive connections to our web server - The web server guy says the box gets brought to its knees with the sheer volume.

So we'd like to set a threshold, and block connection to IIS for IPs that exceed the threshold.

I was looking at the Connection Rate Limit type rule, trying to figure out if that's what it does, or if I could create a new Connection Rate Limit rule that did this.

Suppose the defaults:

Applications ............ = Apache... and IIS... (built in definitions

Attempt to act .......... = server

Net Services ............ = $UDP and $TCP (built in)

Communicating with ...... = specific

hosts having addresses .. = all

local interfaces ........ = all

over limit .............. = 100 (connections)

in ...................... = 5 (minutes)

Does that cause connection #101 and up from IP address 10.10.10.5 to ANY port to be denied?

Or, connection #101 and up from IP address 10.10.10.5 to any GIVEN port to be denied?

Would people mostly confine this to port 80? Or do people generally just go with the default ports?

Any thoughts/suggestions/direction most sincerely appreciated...

Linnea

tsteger1 · ‎10-23-2008

If these connections are from specific hosts (I'd check the hosts if you can) the default rule for IIS and Apache should suffice.

The rule causes any subsequent connections from specific hosts to IIS and Apache above the specified rate to be denied.

It will still allow connections from other hosts.

If these are from different hosts, you'd want to create an allow rule that only allows up to a specific number of connections from all hosts.

Tom

linnea.wren · ‎10-24-2008

Hey...

Thanks. Two more questions -

1. If you limit connections per minute from all hosts, legitimate traffic could be blocked - Right?

2. We're not sure if the traffic condition we're trying to prevent actually produces individual connections (I've got the connection rate limit rule in test mode now, so we should get some info that way) - The web server guy says the problem is characterized by 100s or more GET requests from a specific IP address. Is one of the rule types capable of identifying a rate of GETs from a specific IP?

(I'll be looking at the rules, but if anyone can put me on the right track, I'd appreciate it...)

Linnea

tsteger1 · ‎10-24-2008

It sounds like the default rule should work for you.

To answer your questions:

1. Yes

2. The default rule should track all requests from specific hosts and deny any above the limit you set.

Other hosts should not be affected.

You could create another rule that tracks requests from that specific IP address.

Hopefully it's one of yours and you can deal with it's problem.

HTH

Tom

linnea.wren · ‎10-24-2008

OK,

I read the default rule as blocking connections - I think I've seen multiple GETs in a single stream, and I was understanding "connection" to be synonomous with stream. If a host could pound you with GETs in a single connection, it seemed you'd need some other rule type.

It's not one of ours - It's from outside, and the behaviour hops all over IP addresses, from Eastern Europe, Asia, Australia, etc.

Anyway, seems you are saying that if the GETs are coming fast and furious, there will also be connections coming fast and furious, so connection rate limit will help. Right?

Linnea

tsteger1 · ‎10-25-2008

A connection rate limit should help if connections are the problem.

I'm not a web guru by any stretch but

multple GETS should not affect server performance unless they are associated with a web app or caching.

If that's case, the web admins may need to look at how the site process those requests.

Tom