Rate Limiting Rules in R77.20

[Dave365]

I want to configure rate limiting rules as described here:
https://supportcenter.checkpoint.com...ionid=sk112454

and I'm trying to figure out if the rate limit can be enforced per source IP. (to define a limit per source IP and drop connections violating the limit, but without specifying a particular IP).

For example if a add the below rule:
fw samp add -a d quota flush true destination range:xx.xx.xx.xx service any new-conn-rate 500 track source

In case there are more than 500 connections per second from the same source IP and at the same time there are some connections from another source IP, all connections will be blocked, or only the source violating the limit?

As I understand the primary purpose of this is to defend against a DoS attack, therefore if there is no way to enforce this per source IP I don't really see the point (i.e. the destination service will still be unreachable).

Thanks,
Dave

[ShadowPeak.com]

I want to configure rate limiting rules as described here:
https://supportcenter.checkpoint.com...ionid=sk112454

and I'm trying to figure out if the rate limit can be enforced per source IP. (to define a limit per source IP and drop connections violating the limit, but without specifying a particular IP).

For example if a add the below rule:
fw samp add -a d quota flush true destination range:xx.xx.xx.xx service any new-conn-rate 500 track source

In case there are more than 500 connections per second from the same source IP and at the same time there are some connections from another source IP, all connections will be blocked, or only the source violating the limit?

As I understand the primary purpose of this is to defend against a DoS attack, therefore if there is no way to enforce this per source IP I don't really see the point (i.e. the destination service will still be unreachable).

Thanks,
Dave

In your example the 501st new connection request in the same second will be blocked, regardless of the source IP. I think you are looking for the SecureXL "penalty box" function described here: sk74520: What is the SecureXL penalty box mechanism for offending IP addresses?. Note that in R80.20 gateway the multitude of anti-DoS capabilities such as fw sam, penalty box, and heavy load QoS that have been introduced over the years are "rolled up" a bit into a more coherent set of features.

[Dave365]

Hello.

Thank you for the clarifications. What I want to do is to limit the connections per source IP (mainly the concurrent connections). If I understand correctly, this is not exactly what penalty box does.

There are various IPS protections that can be used for this, however it seems that all of them are based on a rate (new connections per second, HTTP requests per second, etc.) and not based on the number of concurrent active connections.

With rate limiting rules, there is an option to limit the concurrent active connections, but it cannot be enforced per source IP (unless a particular IP is specified). Therefore, it cannot really be used to prevent i.e. a DoS attack. It will prevent the actual destination service from crashing, however the service will still be disrupted since legitimate sources will also be blocked.

An attacker can open a huge number of connections to a server and keep them open, but establish the connections over a long time period, so it will not be detected by the rate-based protections. This can be prevented using the penalty box?

Thanks