/hvaonline/posts/listByUser/236808.html JForum - http://www.jforum.net /hvaonline/posts/preList/39215/241785.html#241785 /hvaonline/posts/preList/39215/241785.html#241785 GMT Invalid Packets Always‐on countermeasure that handles fragment reassembly and other basic layer 3 and layer 4 packet validation. Filter Evaluation (SP UI: Black / White List) Looks at the fcap expression that is provided in the SP interface in the "Black /Whitelist" tab. If the evaluation says it "passes", then no further mitigation is done. If it says "drop", the packet is dropped, stats updated accordingly, and no further mitigation is done. This corresponds to the Black List / White List expression in the SP UI. This expression defines a list of pass and drop expressions. Anything that matches a "pass" statement will not get looked at any further (thus, it is on the "white list"). Anything that matches a "drop" statement will be instantly dropped and will not get looked at further (it is on the "black list"). All other traffic proceeds to be evaluated through the remaining shaping and countermeasures. Blacklist Evaluation If the source host is on the blacklist because it was put there by one of the countermeasures, the packet is dropped, stats updated accordingly, and no further mitigation is done. Note that the countermeasure that put the host on the blacklist is the one credited as having dropped the packet. You can think of this as dynamic version of the Blacklist configuration in the SP UI. Zombie Countermeasure Hosts that exceed a pps or bps threshold are considered zombies. These hosts are blacklisted, the packet is dropped, stats are updated accordingly, and no further mitigation is done. TCP SYN Authentication Countermeasure This countermeasure looks to authenticate hosts initiating TCP connections. If we see a SYN, this countermeasure will SYN|ACK it with a certain special sequence number. If the host responds with ACK and the special sequence number +1, then we authenticate it. The connection is reset. If dropped, the stats updated accordingly and no further mitigation is done. NOTE: No blacklisting is done by this countermeasure. DNS Authentication Countermeasure This countermeasure validates source hosts perfoming DNS lookups. Only requests on udp/53 are considered The countermeasure drops the first request and those hosts that retransmit within the timeout are validated. Their requests pass through until we don't hear another request from them in the timeout period. If dropped, the stats are updated accordingly and no further mitigation is done. NOTE: No blacklisting is done by this countermeasure. Idle Reset Processing This countermeasure doesn't produce an effect immediately. It never drops packets. At this time, it just looks at the packet if it's TCP, it tracks the connection. Asynchronously every timeout period, TCP connections that have sat idle on the configured ports for longer than one timeout are reset. The hosts are blacklisted. Payload Regex Processing Depending on whether the packet has a configured tcp or udp dest port, the regular expression is applied to the payload. If it matches, then the packet is dropped. Keep in mind that the regex is not evaluated across multiple TCP segments or IP fragments. If dropped, the stats are updated accordingly and no further mitigation is done. No blacklisting of the source host is done. Source/24 Baseline Stats If this source/24 is blocked due to being 5 times over the baseline rate limit, then the packet is dropped, the stats are updated accordingly and no further mitigation is done. We get baselines for /24s from our SP leader in 24‐hour chunks (with 5‐minute bins inside). Protocol Baseline Stats If this protocol is blocked due to being over the rate limit, then the packet is dropped, the stats are updated accordingly and no further mitigation is done. We get baselines for each protocol from our SP leader in 24‐hour chunks (with 5‐minute bins inside). Malformed DNS Filtering Any UDP DNS packets containing no payload are are dropped. The stats are updated accordingly and no further mitigation is done. Malformed SIP Filtering Any UDP SIP packets containing no payload are are dropped. The stats are updated accordingly and no further mitigation is done. Rate Limiting Packets are matched against a regex filter. If they match, then their bps/pps is limited to the maximum. If it exceeds the limit, then the packet is dropped, the stats are updated accordingly, and no further mitigation is done. Malformed DNS filtering When a DNS message is decoded, this countermeasure looks for it to be well‐formed. If it's not, then the packet is dropped and the stats are updated accordingly. Note that the offending host is not blacklisted. Malformed HTTP Filtering When an HTTP header is decoded, this countermeasure looks for it to conform to RFC2616 Section 2.2 "Basic Rules" with the exception of allowing the " " character. It also looks for any error in the entire stream. If either of these occur then the packet(s) are dropped and the stats are updated accordingly. The offending host is blacklisted. HTTP Object and Request Rate Limiting When HTTP Requests are decoded, this countermeasure makes sure that the number of requests / objects for that source / dest IP pair do not exceed the given rate. If they do, then the packet(s) are dropped and the stats are updated accordingly. The offending host is blacklisted. HTTP Regex Filtering When HTTP requests or headers are decoded, this countermeasure evaluates the configured expression against the full payload. If it matches, then the packet(s) are dropped and the stats are updated accordingly. The offending host is blacklisted. Malformed SIP Filtering When SIP responses or headers are decoded, this countermeasure validates that they're well formed. If not, then the packet(s) are dropped and the stats are updated accordingly. The offending host is blacklisted. SIP Request Rate Limiting When SIP requests are decoded, this countermeasure makes sure that the number of requests for that source / dest IP pair do not exceed the given rate. If they do, then the packet(s) are dropped and the stats are updated accordingly. The offending host is blacklisted. ]]> /hvaonline/posts/preList/39215/241773.html#241773 /hvaonline/posts/preList/39215/241773.html#241773 GMT /hvaonline/posts/preList/32553/241161.html#241161 /hvaonline/posts/preList/32553/241161.html#241161 GMT /hvaonline/posts/preList/32553/241067.html#241067 /hvaonline/posts/preList/32553/241067.html#241067 GMT