CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: Rate Limiting Rules in R77.20

  1. #1
    Join Date
    2015-10-01
    Posts
    39
    Rep Power
    0

    Default Rate Limiting Rules in R77.20

    I want to configure rate limiting rules as described here:
    https://supportcenter.checkpoint.com...ionid=sk112454

    and I'm trying to figure out if the rate limit can be enforced per source IP. (to define a limit per source IP and drop connections violating the limit, but without specifying a particular IP).

    For example if a add the below rule:
    fw samp add -a d quota flush true destination range:xx.xx.xx.xx service any new-conn-rate 500 track source

    In case there are more than 500 connections per second from the same source IP and at the same time there are some connections from another source IP, all connections will be blocked, or only the source violating the limit?

    As I understand the primary purpose of this is to defend against a DoS attack, therefore if there is no way to enforce this per source IP I don't really see the point (i.e. the destination service will still be unreachable).

    Thanks,
    Dave

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,231
    Rep Power
    13

    Default Re: Rate Limiting Rules in R77.20

    Quote Originally Posted by Dave365 View Post
    I want to configure rate limiting rules as described here:
    https://supportcenter.checkpoint.com...ionid=sk112454

    and I'm trying to figure out if the rate limit can be enforced per source IP. (to define a limit per source IP and drop connections violating the limit, but without specifying a particular IP).

    For example if a add the below rule:
    fw samp add -a d quota flush true destination range:xx.xx.xx.xx service any new-conn-rate 500 track source

    In case there are more than 500 connections per second from the same source IP and at the same time there are some connections from another source IP, all connections will be blocked, or only the source violating the limit?

    As I understand the primary purpose of this is to defend against a DoS attack, therefore if there is no way to enforce this per source IP I don't really see the point (i.e. the destination service will still be unreachable).

    Thanks,
    Dave
    In your example the 501st new connection request in the same second will be blocked, regardless of the source IP. I think you are looking for the SecureXL "penalty box" function described here: sk74520: What is the SecureXL penalty box mechanism for offending IP addresses?. Note that in R80.20 gateway the multitude of anti-DoS capabilities such as fw sam, penalty box, and heavy load QoS that have been introduced over the years are "rolled up" a bit into a more coherent set of features.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2015-10-01
    Posts
    39
    Rep Power
    0

    Default Re: Rate Limiting Rules in R77.20

    Hello.

    Thank you for the clarifications. What I want to do is to limit the connections per source IP (mainly the concurrent connections). If I understand correctly, this is not exactly what penalty box does.

    There are various IPS protections that can be used for this, however it seems that all of them are based on a rate (new connections per second, HTTP requests per second, etc.) and not based on the number of concurrent active connections.

    With rate limiting rules, there is an option to limit the concurrent active connections, but it cannot be enforced per source IP (unless a particular IP is specified). Therefore, it cannot really be used to prevent i.e. a DoS attack. It will prevent the actual destination service from crashing, however the service will still be disrupted since legitimate sources will also be blocked.

    An attacker can open a huge number of connections to a server and keep them open, but establish the connections over a long time period, so it will not be detected by the rate-based protections. This can be prevented using the penalty box?

    Thanks

Similar Threads

  1. Firewall rate-limiting and penalty box experiences
    By mkguy in forum Firewall Blade
    Replies: 2
    Last Post: 2015-07-21, 21:33
  2. R76 Rate Limiting for DoS Mitigation
    By bhuraque in forum Firewall Blade
    Replies: 0
    Last Post: 2013-08-21, 07:28
  3. DOS(dDOS) , Connection limiting observing Smartdefense rules
    By vbavbalist in forum IPS Blade (Formerly SmartDefense)
    Replies: 2
    Last Post: 2010-04-02, 13:15
  4. Rate limiting email alerts?
    By EJSTL in forum SmartView Tracker
    Replies: 0
    Last Post: 2009-08-06, 17:40
  5. rate limiting?
    By Jahk Nah Rai in forum Miscellaneous
    Replies: 1
    Last Post: 2006-01-08, 13:08

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •