Firewall denial of service protection
A stateful firewall or NAT creates a session for each traffic flow matching that firewall or NAT provided it is not blocked. This applies to both connection-oriented protocols (for example, TCP) and nonconnection-oriented protocols (for example, UDP and ICMP echo).
- Monitor the number of sessions, rate of session creation, and time last session was created
- Limit the maximum number of half-open sessions
- Rate-limit new sessions
Maximum half-open sessions
The definition of a half-open session depends upon the protocol. For TCP, a session is deemed to be half open while it is going through the SYN, SYN-ACK, and ACK three-way handshake. For nonconnection-oriented protocols, a session is deemed half open when traffic has been seen only in the forward direction.
A half-open session has a default timeout period of 30 seconds. If no further traffic is seen on this session for that time period, the session is "expired". An expired session then exists for a further 5 to 10 seconds before it is deleted and memory released. Once expired, a session is not available to traffic.
When the maximum half-open limit is reached, a matching packet is prevented from creating a session.
Session rate limiting
Session rate limiting limits the maximum rate at which a session can be created. A "rate" value and a "burst" value may be configured. These values combine to determine the interval over which the rate limiting is evaluated. For example, if the rate limit is 20 sessions per second, and the burst is 100 sessions, the interval is 5 seconds (100/20). A maximum of 100 new sessions is allowed during that 5-second interval. In the show command output, the interval is shown in milliseconds.
When the rate-limit rate is reached, a matching packet is prevented from creating a session.
Rate limiting itself limits the maximum number of half-open sessions. For example, if the rate limit is 20 seconds and the default timeout of 30 seconds applies, the maximum number of half-open sessions is 600 sessions (20 x 30, that is, the number of sessions that can be created before the oldest expires).
If the rate limiting and maximum half-open features are combined, with a rate limit of 20 sessions per second and a maximum half-open value of 300, then it takes 15 seconds (300/20) for the maximum half-open limit to be reached.
DoS protection configuration considerations
DoS protection requires that you configure a system session limit parameter and a session limit group. The parameter contains the configuration and state for maximum half-open and rate-limiting. The group contains the match criteria rule set, and a list of interfaces to which that rule set is applied. The rule set contains a list of rules, each of which must reference a parameter.
Multiple interfaces can be configured on the same session limit group. A session limit group's rule set can reference multiple session limit parameters. Multiple session limit groups can reference the same session limit parameter.
- Policing of maximum half-open sessions
- Rate-limiting new sessions
A session limiter configured on an interface applies to both inbound and outbound sessions created on that interface. There is no direction (in or out) when configuring a session limit interface. The session limiter is applied to sessions that are created for both inbound and outbound, if other firewall or NAT rules exist to create those sessions. Therefore, if a session limiter is configured for the dp0p1s1 interface, and there is only an input firewall on dp0p1s1, the session limiter applies only to inbound sessions because outbound sessions exist.
A session limiter can limit only sessions that are created after the session limiter is created. For example, if there are 100 half-open sessions and a session limiter is created with max-halfopen configured as 50, those 100 half-open sessions remain. Also, the session limiter counts do not count those 100 half-open sessions.