DOS Attack Settings
Use the DOS Attack Settings dialog box to configure the Denial Of Service Attack settings.
An explanation of what a Denial Of Service Attack is can be found
in the KFSensor Terms section.
The KFSensor Server is very fast at responding to visitors. On a reasonably quick internet connection
the server can easily handle
several million requests per hour. This would not pose a problem for the server itself, but it would cause the
logs to grow very large.
To prevent a hacker generating an excessive amount of events KFSensor implements various limits on the amount of
traffic it will accept and how it logs events.
These features can also be used to limit traffic and events in cases of heavy use of the server, which are not
intended to be denial of service attacks. For example a visitor may make thousands of connections to the SMTP emulation
in an attempt to send spam. You may wish to put a limit on this.
These options are configured using the settings in this dialog box and port specific limits can be set
using the Edit Listen dialog.
Note: The internal counters used to monitor these limits are reset every time the KFServer is restarted.
This also applies if server configuration is changed.
General
- Max clients
This sets the maximum numbers of visitor connections that the server can have open at any one time.
If the maximum number of connections is reached then the server will refuse to accept any more connections until
one of its open connections is closed. An event will be generated if the limit is exceeded.
- Max receive size (bytes)
A hacker may attempt to overload a server by opening a connection and then send many mega-bytes of data to it.
This setting sets a limit, in the number of bytes of data that the server is prepared to read from a visitor, before
forcing the connection to close.
Certain Sim Servers over-ride this standard setting
- Max receive log size (bytes)
This sets the maximum number of bytes that will be recorded in the event log. If the data received is larger than
this amount it will be truncated. Use this setting to reduce the amount of data stored in your event log files.
Certain Sim Servers over-ride this standard setting
TCP
In event of a sustained DOS attack KFSensor can
Lock Out or
Ignore the visitors responsible for the attack and
refuse to accept any connection from them for a set period of time.
- Max concurrent connections per IP
This sets the maximum numbers of connections that a single visitor can have open at any one time.
If the maximum number of connections is reached then the server will refuse to accept any more connections
from the visitor until one of its open connections is closed.
This prevents a single visitor using up all the available connections and thus preventing other visitors
from connecting to the server. This value should be set at less than the Max clients setting.
- Action on max concurrent
This option controls how the server should handle subsequent connections from a visitor that reaches the
Max concurrent connections per IP limit.
- Lock out
The visitor will be locked out for the specified period of time
- Close
The connection will be closed immediately, but the visitor will not be prevented from making further connections.
- Max connections per IP
If a visitor makes more connections than this setting allows the visitor will be either locked out
or ignored.
This setting applies to any port except those ports that have their own port specific limit specified in
the Edit Listen dialog.
- Action on max connections per IP
This options control how the server should handle subsequent connections from a visitor that reaches the
Max connections per IP limit.
- Lock out
The visitor will be locked out for the specified period of time
- Ignore
The connection will be processed as normal but no event will be generated of this connection.
A certain number of events can still be generated, using the 'Do not ignore every X connections' option.
The option allows the visitor to carry on using the server without generating potentially thousands of events.
- Max connected ports per IP (Multi-port Scan)
If a visitor connects to more TCP ports than this setting allows then the visitor will be locked out.
Most attacks involve a small number of targeted services with a specific vulnerability being probed for.
In the case of a full system multi-port scan the visitor will probe many different ports to gather information about a system.
As KFSensor typically responds to many more ports that a normal system, this setting prevents the visitor
conducting a full scan by limiting the number of ports that will respond, without restricting multiple connections to
individual ports.
- Event On (Multi-port Scan)
This option is used to monitor the number of different TCP ports in the same way as the option above.
When the limit is reach for this setting then a multi-port scan event will be logged.
This enables multi-port scans to be detected without blocking the visitor.
- Lock out for (minutes)
A visitor is locked out for a period of time controlled by this setting. If the visitor has not attempted
to make a connection for this period of time they will be allowed to use the server again
- Do not ignore every X connection
This option allows every 10th or 100th connection made by a visitor who has exceeded the Max connections per IP to generate an event.
This allows a sample of connections to be logged without recording them all.
- Reset ignore after (hours)
To prevent a visitor being ignored indefinitely, this option will reset a visitors ignore status after the set number of hours.
After which events from that visitor will be recorded again.
UDP
Max connections to a UDP port
If a visitor makes more connections than this setting to a single UDP the visitor will be either locked out
or ignored.
This setting applies to any UDP port except those ports that have their own port specific limit specified in
the Edit Listen dialog.
Action on max connections to a UDP
This options control how the server should handle subsequent connections from a visitor that reaches the
Max connections per UDP port limit.
- Lock out
The visitor will be locked out for the specified period of time
- Ignore
The connection will be processed as normal but no event will be generated of this connection.
Max connected ports per IP (Multi-port Scan)
If a visitor connects to more UDP ports than this setting allows then the visitor will be locked out.
Most attacks involve a small number of targeted services with a specific vulnerability being probed for.
In the case of a full system multi-port scan the visitor will probe many different ports to gather information about a system.
As KFSensor typically responds to many more ports that a normal system, this setting prevents the visitor
conducting a full scan by limiting the number of ports that will respond, without restricting multiple connections to
individual ports.
Event On (Multi-port Scan)
This option is used to monitor the number of different UDP ports in the same way as the option above.
When the limit is reach for this setting then a multi-port scan event will be logged.
This enables multi-port scans to be detected without blocking the visitor.
Reset ignore after (hours)
To prevent a visitor being ignored indefinitely, this option will reset a visitors ignore status after the set number of hours.
After which events from that visitor will be recorded again.
ICMP
In event of a sustained ICMP DOS attack KFSensor can Lock Out the visitors responsible for the attack and
ignore any ICMP connections from them for a set period of time.
- Max connections per IP
If a visitor sends more ICMP messages than this setting allows the visitor will be either locked out.
This setting applies to all types of ICMP message.
- Lock out for (minutes)
A visitor is locked out for a period of time controlled by this setting. If the visitor has not attempted
to make a connection for this period of time their ICMP connections will begin to be processed again.
WIN
In event of a sustained WIN attack KFSensor can Lock Out the visitors responsible for the attack and
ignore any WIN connections from them for a set period of time.
- Max connections per IP
If a visitor sends more WIN events than this setting allows the visitor will be either locked out.
This setting applies to all types of WIN event.
- Lock out for (minutes)
A visitor is locked out for a period of time controlled by this setting. If the visitor has not attempted
to make a connection for this period of time their WIN connections will begin to be processed again.
Global DOS Attack Limits
If a hacker is using numerous IP aliases or machines to launch a sustained DOS attack the
server will Lock Up and
refuse to accept any connections for a set period of time.
TCP, UDP and ICMP connections have separate limits and separate lockups. This is because with UDP and ICMP it is easy
to forge the return address allowing one machine to send numerous UDP or ICMP messages which appear to come from
different IP addresses. If such a UDP DOS attack is made it will not stop the server from responding to TCP connections.
- Max TCP connections
The maximum number of TCP connections that can be made to the server before it locks up.
- Max UDP connections
The maximum number of UDP connections that can be made to the server before it locks up.
- Max ICMP connections
The maximum number of ICMP connections that can be made to the server before it locks up.
- Reset lock up after (hours)
When the KFSensor Server locks up it will refuse to accept connection for as long as the limit is exceeded in
this specified period. This is not a simple time period locking mechanism as is the case with the Visitor DOS Attack setting.
Once locked up the server will check every hour if the total number of connections in the last X hours
has exceeded the specified limit. It will then allow a number of connections to be made up to the limit in the last X hour period.
This enables the server to recover from a DOS attack quicker and yet still control the amount of connections it handles.
Buttons
- Default (Normal)
The Default (Normal )button returns all settings to the default factory values.
- Default (Cautious)
The Default (Cautious) button configures the settings to lower, more cautious, values than the default factory values.
Related Topics
KFSensor On-Line Manual Contents