Configuring a TCP slow data flood protection policy
A Slow Data attack sends legitimate application layer requests but reads responses very slowly. With that, it may attempt to exhaust the target’s connection pool. Slow reading advertises a very small number for the TCP Receive Window size and at the same time empties the client’s TCP receive buffers slowly. This ensures a very low data flow rate.
The attack purpose is to consume the system resources (memory, CPU time) slowly. We can disable the connection when sending many probe packages fails in the zero-window timer.
Before you begin:
- You must have Read-Write permission for Security settings.
After you have configured HTTP Request Flood policies, you can select them in DoS Protection Profile.
To configure a TCP Slow Data Flood Protection policy:
- Go to DoS Protection > Networking.
- Click the TCP Slow Data Flood Protection tab.
- Click Create New to display the configuration editor.
-
Complete the configuration.
Name
Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.
Status
Enable | Disable. If Enable, this policy will be activated, otherwise is inactive.
Probe Interval
Set probe interval time for the TCP zero window timer. After receiving a zero window packet, FortiADC will probe the peer side periodically until it returns with >0 window, or when probe count exceeds the max probe-count.
Probe Count
Max consecutive zero window probe count.
Action
Action after exceed max probe count.
Pass—if the probe count exceeds probe-count, stop the probe and pass all the packets in both directions.
Deny—deny the connection with RST.
Block-period—deny the connection, and block any new connection from the peer side for a period of time.
Severity
High—Log as high severity events.
Medium—Log as a medium severity events.
Low—Log as low severity events.
The default value is High.
Log
Enable or disable log
- Save the configuration.