...
Firewall denial of service protection
Maximum half-open sessions
Session rate limiting
...
A stateful firewall or NAT creates a session for each traffic flow matching that firewall or NAT provided it is not blocked. This applies to both connection-oriented protocols (for example, TCP) and nonconnection-oriented protocols (for example, UDP and ICMP echo).
The Firewall Denial-of-Service Protection feature provides commands that perform the following tasks:
• Monitor the number of sessions, rate of session creation, and time last session was created
• Limit the maximum number of half-open sessions
• Rate-limit new sessions
Maximum half-open sessions
The definition of a half-open session depends upon the protocol. For TCP, a session is deemed to be half-open while it is going through the SYN, SYN-ACK, and ACK three-way handshake. For nonconnection-oriented protocols, a session is deemed half-open when traffic has been seen only in the forward direction.
A half-open session has a default timeout period of 30 seconds. If no further traffic is seen on this session for that time period, the session is "expired". An expired session then exists for a further 5 to 10 seconds before it is deleted and memory released. Once expired, a session is not available to traffic.
When the maximum half-open limit is reached, a matching packet is prevented from creating a session.
Session rate limiting
Session rate limiting limits the maximum rate at which a session can be created. A "rate" value and a "burst" value may be configured. These values combine to determine the interval over which the rate-limiting is evaluated. For example, if the rate limit is 20 sessions per second, and the burst is 100 sessions, the interval is 5 seconds (100/20). A maximum of 100 new sessions is allowed during that 5-second interval. In the show command output, the interval is shown in milliseconds.
When the rate-limit rate is reached, a matching packet is prevented from creating a session.
Rate limiting itself limits the maximum number of half-open sessions. For example, if the rate limit is 20 seconds and the default timeout of 30 seconds applies, the maximum number of half-open sessions is 600 sessions (20 x 30, that is, the number of sessions that can be created before the oldest expires).
If the rate-limiting and maximum half-open features are combined, with a rate limit of 20 sessions per second and a maximum half-open value of 300, then it takes 15 seconds (300/20) for the maximum half-open limit to be reached.
Example - limit max-halfopen TCP sessions inbound on dp0p1s1 only
| Code Block |
|---|
interfaces {
dataplane dp0p1s1 {
address 10.10.1.1/24
firewall {
in ACCEPT_ALL
}
}
dataplane dp0p1s2 {
address 10.10.2.1/24
}
}
security {
firewall {
name ACCEPT_ALL {
rule 10 {
action accept
session
}
}
}
}
system {
session {
limit {
group {
name PROTOTCP {
interface dp0p1s1
rule 10 {
parameter MAX_HALFOPEN_200
protocol tcp
}
}
}
parameter {
name MAX_HALFOPEN_200 {
max-halfopen 200
}
}
}
}
} |
The session limiter is configured on interface dp0p1s1, which means it is applied to both inbound and outbound sessions created on that interface. However because there in only an inbound firewall on dp0p1s1 then that means the session limiter only 'sees' inbound sessions.
| Code Block |
|---|
Session limit parameter "MAX_HALFOPEN_200":
Sessions allowed 200
Sessions blocked 100
Current session counts (estab/half-open/terminating) [0:200:0]
Max session counts (estab/half-open/terminating) [0:200:0]
Time since last session created 23.0s
Sessions per sec avg (1sec/1min/5mins) [0:0:0]
Max sessions per sec avg (1sec/1min/5mins) [0:0:0]
Time since max sessions per sec (1sec/1min/5mins) [never:never:never]
Time since last session blocked 23.0s
Max sessions blocked per sec avg (1sec/1min/5mins) [0:0:0]
Features max-halfopen
Max half-open sessions
Maximum 200
Sessions blocked 100
Session limit group "PROTOTCP":
Active on (dp0p1s1)
rule parameter proto allowed blocked
---- --------- ----- ------- -------
10 PARAM1 tcp 200 100
condition - proto tcp |
Example - rate-limit TCP sessions inbound on dp0p1s1 and dp0p1s2
| Code Block |
|---|
interfaces {
dataplane dp0p1s1 {
address 10.10.1.1/24
firewall {
in FW1
}
}
dataplane dp0p1s2 {
address 10.10.2.1/24
firewall {
in FW1
}
}
}
security {
firewall {
name FW1 {
rule 10 {
action accept
session
}
}
}
}
system {
session {
limit {
group {
name GROUP1 {
interface dp0p1s1
interface dp0p1s2
rule 10 {
parameter PARAM1
protocol tcp
}
}
}
parameter {
name PARAM1 {
rate-limit {
rate 10
burst 20
}
}
}
}
} |
| Code Block |
|---|
v@vm-rtr-1# run sh session limit
Session limit parameter "PARAM1":
Sessions allowed 1477
Sessions blocked 9751
Current session counts (estab/half-open/terminating) [0:482:0]
Max session counts (estab/half-open/terminating) [0:482:0]
Time since last session created 0.0s
Sessions per sec avg (1sec/1min/5mins) [11:7:2]
Max sessions per sec avg (1sec/1min/5mins) [11:9:2]
Time since max sessions per sec (1sec/1min/5mins) [0.0s:4.8m:1.2m]
Time since last session blocked 0.0s
Max sessions blocked per sec avg (1sec/1min/5mins) [691:156:0]
Features rate-limit
Rate limit
Rate sessions/second 10
Max burst 20
Interval (milliseconds) 2000
Sessions blocked 9751
Session limit group "GROUP1":
Active on (dp0p1s2)
rule parameter proto allowed blocked
---- --------- ----- ------- -------
10 PARAM1 tcp 0 0
condition - proto tcp
Session limit group "GROUP1":
Active on (dp0p1s1)
rule parameter proto allowed blocked
---- --------- ----- ------- -------
10 PARAM1 tcp 1477 9751
condition - proto tcp |
Example - using the global session limiter to rate-limit all sessions created on all interfaces.
| Code Block |
|---|
interfaces {
dataplane dp0p1s1 {
address 10.10.1.1/24
firewall {
in FW1
}
}
dataplane dp0p1s2 {
address 10.10.2.1/24
firewall {
in FW1
}
}
}
security {
firewall {
name FW1 {
rule 10 {
action accept
session
}
}
}
}
system {
session {
limit {
global {
rate-limit {
rate 20
burst 50
}
}
}
}
} |
| Code Block |
|---|
v@vm-rtr-1# run sh session limit
Session limit parameter "global":
Sessions allowed 683
Sessions blocked 13
Current session counts (estab/half-open/terminating) [0:352:0]
Max session counts (estab/half-open/terminating) [0:392:0]
Time since last session created 0.0s
Sessions per sec avg (1sec/1min/5mins) [11:7:0]
Max sessions per sec avg (1sec/1min/5mins) [11:7:0]
Time since max sessions per sec (1sec/1min/5mins) [0.0s:25.0s:never]
Time since last session blocked 3.0s
Max sessions blocked per sec avg (1sec/1min/5mins) [0:0:0]
Features rate-limit
Rate limit
Rate sessions/second 10
Max burst 50
Interval (milliseconds) 5000
Sessions blocked 13
Session limit group "global":
rule parameter proto allowed blocked
---- --------- ----- ------- -------
default global any 683 13
condition - all |
Example - rate-limit TCP, UDP and ICMP sessions with a single rate-limit parameter, whilst maintaining separate counts for each protocol
| Code Block |
|---|
interfaces {
dataplane dp0p1s1 {
address 10.10.1.1/24
firewall {
in ACCEPT_ALL
}
}
}
security {
firewall {
name ACCEPT_ALL {
rule 10 {
action accept
session
}
}
}
}
system {
session {
limit {
group {
name LIMIT_GROUP1 {
interface dp0p1s1
rule 10 {
parameter MAXRATE4
protocol udp
}
rule 20 {
parameter MAXRATE4
protocol tcp
}
rule 30 {
parameter MAXRATE4
protocol icmp
}
}
}
parameter {
name MAXRATE4 {
rate-limit {
rate 4
}
}
}
}
}
} |
After sending 100 packets each of UDP, TCP and ICMP (with different ports and/or source addresses):
| Code Block |
|---|
Session limit parameter "MAXRATE4":
Sessions allowed 111
Sessions blocked 189
Current session counts (estab/half-open/terminating) [0:0:0]
Max session counts (estab/half-open/terminating) [0:74:0]
Time since last session created 1.9m
Sessions per sec avg (1sec/1min/5mins) [0:0:0]
Max sessions per sec avg (1sec/1min/5mins) [4:0:0]
Time since max sessions per sec (1sec/1min/5mins) [1.9m:never:never]
Time since last session blocked 1.9m
Max sessions blocked per sec avg (1sec/1min/5mins) [7:0:0]
Features rate-limit
Rate limit
Rate sessions/second 4
Max burst 4
Interval (milliseconds) 1000
Sessions blocked 189
Session limit group "LIMIT_GROUP1":
Active on (dp0p1s1)
rule parameter proto allowed blocked
---- --------- ----- ------- -------
10 PARAM1 udp 37 63
condition - proto udp
20 PARAM1 tcp 37 63
condition - proto tcp
30 PARAM1 icmp 37 63
condition - proto icmp
|
Example - session limit outbound SNAT sessions on interface dp0p1s2
| Code Block |
|---|
interfaces {
dataplane dp0p1s1 {
address 10.10.1.1/24
}
dataplane dp0p1s2 {
address 10.10.2.1/24
}
dataplane dp0p1s3 {
address 10.10.3.1/24
}
}
service {
nat {
source {
rule 10 {
outbound-interface dp0p1s2
translation {
address masquerade
}
}
}
}
}
system {
session {
limit {
group {
name GROUP1 {
interface dp0p1s2
rule 10 {
parameter PARAM1
}
}
}
parameter {
name PARAM1 {
rate-limit {
rate 4
}
}
}
}
}
} |
DoS protection configuration considerations
DoS protection requires that you configure a system session limit parameter and a session limit group. The parameter contains the configuration and state for maximum half-open and rate-limiting. The group contains the match criteria rule set and a list of interfaces to which that rule set is applied. The rule set contains a list of rules, each of which must reference a parameter.
Multiple interfaces can be configured on the same session limit group. A session limit group's rule set can reference multiple session limit parameters. Multiple session limit groups can reference the same session limit parameter.
A session limit parameter can be configured with one, both, or neither of the following features:
• Policing of maximum half-open sessions
• Rate-limiting new sessions
| Info |
|---|
If not configured with either feature, the session limit parameter just gathers session rate and statistics |
A session limiter configured on an interface applies to both inbound and outbound sessions created on that interface. There is no direction (in or out) when configuring a session limit interface. The session limiter is applied to sessions that are created for both inbound and outbound if other firewall or NAT rules exist to create those sessions. Therefore, if a session limiter is configured for the dp0p1s1 interface, and there is only an input firewall on dp0p1s1, the session limiter applies only to inbound sessions because outbound sessions
exist.
A session limiter can limit only sessions that are created after the session limiter is created. For example, if there are 100 half-open sessions and a session limiter is created with max-half open configured
Session and packet logging
...