Attack Blocker
From UntangleWiki
Contents |
About Attack Blocker
The Attack Blocker is identified by the symbol. If the Attack Blocker is not installed, go to Reinstalling Software Products.
The Attack Blocker protects your network in a few ways:
- Sanitizes all packets the Untangle Server receives. This packet-cleaning is a built-in function and has no administrative settings.
- Protects against lower-level networking attacks.
- Protects against Denial of Service (DOS) attacks.
Denial Of Service Protection
Attack Blocker tracks traffic from all hosts (IP addresses). The number of connections and the volume of data are monitored. If a given host is significantly more active than others, its reputation increases. Reputation is expressed as a number on a relative scale. Large reputation numbers indicate that a given host is consuming more resources (more connections, more bytes transferred) than its peers.
As the load on an Untangle Server increases, it may not have enough resources to service all requests. Rather than slow everyone down, the Attack Blocker takes action against hosts with the largest reputation numbers. In this way, hosts that hog all the bandwidth are allocated fewer resources while other less demanding hosts experience no change in service and performance levels. There are three actions that the Attack Blocker can take against hosts with large reputation numbers.
Attack Blocker Actions
- Limited. Attack Blocker limits a host's access to resources inside the protected networks. The limited host experiences a mild slowdown in network performance.
- Dropped. Attack Blocker causes a host's traffic to be dropped, slowing down traffic greater than if the traffic was simply limited.
- Rejected. Attack Blocker rejects a host's traffic for a given session, temporarily preventing the host from accessing the protected networks.
By using reputation numbers to allocate resources, the Attack Blocker protects a network from Denial of Service attacks. When a host attempts to flood a network protected by the Untangle Server, the attacking host's reputation number increases so that the host moves from experiencing a limited slowdown to being denied access to protected resources.
The action that the Untangle Server takes depends on the reputation of the offending host. The action of rejecting the host completely is extreme, so Attack Blocker walks a fine line between allowing hosts to be active (such as a heavily loaded email server) and shutting down a host's session that is threatening to bring down your network. However, if the Attack Blocker determines that a host's activity is threatening your network, it will reject that host's session. In most cases, limiting the host and dropping the host's packets is enough to protect your network.
The Attack Blocker does not have any settings for sanitizing packets, but does have a setting to specify a host that is treated differently than its peers in terms of reputation calculation. This administrative setting is explained in Adding Attack Blocker Exceptions.
Adding Attack Blocker Exceptions
Use the Exception List to identify a virtual computer (IP Address) that represents more than one physical computer. As discussed in Denial Of Service Protection, Attack Blocker tracks the relative activity of computers on its network. If an IP address represents more than one physical computer, as is the case if you have a router performing NAT behind an Untangle Server that's a bridge, then Attack Blocker must know this IP address; otherwise, Attack Blocker considers that network to be an unusually active single computer and rejects that network's traffic.
To add a new entry to the Exception List:
- From Attack Blocker, click the Show Settings tab.
- Click the Exception List tab.
- Click the add (plus) button to the left of the table. A new row appears.
- Specify the exception that you want to add:
- Click the Save Settings button.
enable When this box is checked, the exception rule is enabled. address The IP Address of the computer that needs special consideration. user count The number of users (computers) that this address represents. For example, if 5 users are behind a NAT system, the external IP address of that NAT system needs a user count of 5.
About Attack Blocker Event Logs
Use the following terms and definitions to understand the Attack Blocker Event Log:
timestamp The time the event took place. source The source IP address of the traffic. source interface The network interface on which the traffic arrived at the Untangle Server. reputation As described in Denial Of Service Protection, the reputation is a relative value assigned to clients to indicate their consumption of network resources. This value is usually between 0 and 100, with larger numbers indicating greater resource consumption. limited The number of times the source client was limited (in a period of time) corresponding to the event. For a review of what it means for clients to be limited, go to Denial Of Service Protection. dropped The number of times the source client had traffic dropped (during a period of time) corresponding to the event. For a review of what it means for clients to have traffic dropped, go to Denial Of Service Protection. reject The number of times the source client had a session rejected. For a review of what it means for clients to have traffic dropped, go to Denial Of Service Protection.
