About Attack Blocker
The Attack Blocker defends your network by sanitizing all packets the Untangle Server receives and protecting against Denial of Service (DOS) attacks.
More information is available below.
This section reviews the different settings and configuration options available for Attack Blocker.
The Status tab simply tells you if Attack Blocker is active - there are no settings to configure.
If you have a busy machine that is being affected by Attack Blocker during the course of normal operation you'll need to add an exception for it. Simply click the Exceptions tab, add the IP address and a user count, and save it. The user count is a rough estimate of the volume of traffic from the number of users selected; it's best to be conservative and move the user count up to where Attack Blocker is not limiting the box, that way if traffic spikes even more Attack Blocker can still be effective.
You may need to add exceptions for things like mail servers and routers hiding additional networks behind a NAT.
Use the following terms and definitions to understand the Event Log:
|Timestamp||The time the event took place.|
|Client Address||The source IP address of the traffic.|
|Client Interface||The network interface on which the traffic arrived at the Untangle Server.|
|Reputation||As described in How does it work?, the reputation is a relative value assigned to clients to indicate their consumption of network resources. This value is usually between 0 and 100, with larger numbers indicating greater resource consumption.|
|Limited||The number of times the source client was limited (in a period of time) corresponding to the event. For a review of what it means for clients to be limited, go to How does it work?|
|Dropped||The number of times the source client had traffic dropped (during a period of time) corresponding to the event. For a review of what it means for clients to have traffic dropped, go to How does it work?|
|Reject||The number of times the source client had a session rejected. For a review of what it means for clients to have traffic dropped, go to How does it work?|
Attack Blocker FAQs
How does Attack Blocker work?
Attack Blocker tracks traffic from all hosts (IP addresses), monitoring the number of connections and volume of data. If a given host is significantly more active than others, its reputation increases. Reputation is expressed as a number on a relative scale. Large reputation numbers indicate that a given host is consuming more resources (more connections, more bytes transferred) than its peers. By using reputation numbers to allocate resources, the Attack Blocker protects a network from Denial of Service attacks. When a host attempts to flood a network protected by the Untangle Server, the attacking host's reputation number increases so that the host moves from experiencing a limited slowdown to being denied access to protected resources.
As the load on an Untangle Server increases, it may not have enough resources to service all requests. Rather than slow everyone down, Attack Blocker takes action against hosts with the largest reputation numbers. In this way, hosts that hog all the bandwidth are allocated fewer resources while other less demanding hosts experience no change in service and performance levels. There are three actions that the Attack Blocker can take against hosts with large reputation numbers:
- Limited: Attack Blocker limits a host's access to resources inside the protected networks. The limited host experiences a mild slowdown in network performance.
- Dropped: Attack Blocker causes a host's traffic to be dropped, slowing down traffic greater than if the traffic was simply limited.
- Rejected: Attack Blocker rejects a host's traffic for a given session, temporarily preventing the host from accessing the protected networks.
The action that the Untangle Server takes depends on the reputation of the offending host. The action of rejecting traffic completely is extreme, so Attack Blocker walks a fine line between allowing hosts to be active (such as a heavily loaded email server) and shutting down a hosts' sessions that are threatening to bring down your network. In most cases, limiting the host and dropping the host's packets is enough to protect your network.
If I have one large and one small server, will the larger box develop a bad reputation?
The reputation for the larger machine will most likely be higher than the small machine. In a normal deployment this should not be a concern, however if you're experiencing slowdown under heavy load you can add an exception for the larger machine.
Does Attack Blocker affect "speed test" sites?