Configuring a TCP slow data flood protection policy
A Slow Data attack sends legitimate application layer requests but reads responses very slowly. With that, it may attempt to exhaust the target’s connection pool. Slow reading advertises a very small number for the TCP Receive Window size and at the same time empties the client’s TCP receive buffers slowly. This ensures a very low data flow rate.
The attack purpose is to consume the system resources (memory, CPU time) slowly. We can disable the connection when sending many probe packages fails in the zero-window timer.
Before you begin:
- You must have Read-Write permission for Security settings.
After you have configured HTTP Request Flood policies, you can select them in DoS Protection Profile.
To configure a HTTP Request Flood policy:
- Go to DoS Protection > Networking> HTTP Request Flood.
- Click Create New to display the configuration editor.
Complete the configuration.
Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.
Enable | Disable. If Enable, this policy will be activated, otherwise is inactive.
Set probe interval time for the TCP zero window timer. After receiving a zero window packet, FortiADC will probe the peer side periodically until it returns with >0 window, or when probe count exceeds the max probe-count.
Max consecutive zero window probe count.
Action after exceed max probe count.
Pass—if the probe count exceeds probe-count, stop the probe and pass all the packets in both directions.
Deny—deny the connection with RST.
Block-period—deny the connection, and block any new connection from the peer side for a period of time.
High—Log as high severity events.
Medium—Log as a medium severity events.
Low—Log as low severity events.
The default value is High.
Enable or disable log
- Save the configuration.