config security dos tcp-slowdata-attack-protection
A Slow Data attack sends legitimate application layer requests but reads responses very slowly. With that, it may attempt to exhaust the target’ s connection pool. Slow reading advertises a very small number for the TCP Receive Window size and at the same time by emptying the client’s TCP receive buffers slowly. That ensures a very low data flow rate.
The purpose of the attack is to consume the system resources (memory, CPU time) slowly. We can disable the connection when it fails to send probe packages within the zero-window timer.
Syntax
config security dos tcp-slowdata-attack-protection
edit <name>
set probe-interval-time <integer>
set probe-count <integer>
set action [ pass | deny | block-period]
set block-period <integer>
set severity [ high | medium | low ]
set log [enable | disable]
next
end
CLI specification
CLI Parameter |
Help message |
Type |
Scope |
Default |
Must |
---|---|---|---|---|---|
probe-interval-time |
Probe internal timer for zero-window probe |
char |
0-256 |
30 |
No |
probe-count |
Max count for zero-window probe |
char |
0-256 |
5 |
No |
action |
Action taken when probe count exceeds limit and still no >0 windows packet received |
choice |
Pass deny block-period |
deny |
No |
block-period |
Number of seconds to block the connection action if you choose block-period as action |
integer |
1-3600 |
60 |
No |
severity |
Severity of the Log |
choice |
info low medium high |
high |
No |
log |
Record log message |
choice |
enable disable |
disable |
No |
Function description
CLI Parameter |
Description |
---|---|
probe-interval-time |
Set probe interval time for the TCP zero window timer. After receiving a zero window packet, FortiADC will probe the peer side periodically until it receives a >0 window, or probe count exceeds the max probe-count. |
probe-count |
Max consecutive zero window probe count |
action |
Action taken after exceeding max probe count Pass –if the probe count exceeds probe-count, FortiADC stops the probe and passes all the packets in both direction. Deny – deny the connection with RST Block-period – deny the connection, and block any new connection from the peer side for a period of time |
block-period |
Block the new connection from peer side for a period. During this period, the new connection will abort. |
severity |
Log severity level |
log |
Enable or disable log |
Example
configure security dos tcp-slowdata-attack-protection
edit zero-window-limit
set probe-interval-time 30
set probe-count 5
set action block-period
set block-period 20
set log enable
set severity medium
next
end