Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

DoS Rate Limiting (samp rules) Logging

Hi Mates, 

I have configured some test Rate Limiting rules for an R80.20 VSX environment. The config was set with "monitor only" mode enabled first and the rules are in place; 

[Expert@fvsx_gateway:3]# fw samp get
operation=add uid=<5e7da64e,00000000,21c2f50a,000078b1> target=all timeout=indefinite action=drop log=log service=any source-negated=true source=cidr:172.16.0.0/12 pkt-rate=100 track=source flush=true req_type=quota

 

I can see that the rules are enabled and seem to be picking up traffic that should be dropped; 

[Expert@vsx_gateway:3]# fwaccel dos stats get
Firewall:
Number of Elements in Tables:
Penalty Box Violating IPs: 0 (size: 8192)
Blacklist Notification Handlers: 0 (size: 1024)
SXL Device 0:
Total Active Connections: 0
Total New Connections/Second: 0
Total Packets/Second: 41
Total Bytes/Second: 4077
Reasons Packets Dropped:
IP Fragment: 0
IP Option: 0
Penalty Box: 0
Blacklist: 0
Rate Limit: 0
Number of Elements in Tables:
Penalty Box: 0 (size: 0)
Non-Empty Blacklists: 0 (size: 0)
Blacklisted IPs: 0 (size: 0)
Rate Limit Matches: 154 (size: 262144)
Rate Limit Source Only Tracks: 94 (size: 262144)
Rate Limit Source and Service Tracks: 0 (size: 262144)

Are these violations also logged in SmartConsole Logs&Monitor?

I've checked against some of the source/dest addresses shown in the "dos_rate_matches" SecureXL table but I can't see anything that suggests that there would be a drop based on Rate Limiting. Has anyone got an example of one of these logs? 

0 Kudos
1 Reply
Highlighted

Re: DoS Rate Limiting (samp rules) Logging

Looks like the logs are being presented. I did some updates around actually installing the rules (using "w samp add -t 2 quota flush true") so that may have kicked them into life. They may also just have taken some time to get through to the Mgmt device.

 

rate_limit_rules_detected_smart_console_logs.PNG

 

I haven't seen an easy way to search for these ones yet. Free text doesn't seem to work for any of the text or UIDs for the DOS rules. I had to grab the IP out of the fwaccel table ("fwaccel tab -t dos_rate_matches -f") and then search in Logs&Monitor. 

 

Anyone found an easier way to monitor these?

0 Kudos