Skip to main content
Code42 Support

Configuring Denial-Of-Service Filter Settings

Available in:

  • CrashPlan PRO
    • Standard
    • Premium
    • Enterprise
Applies to:

Overview

A denial-of-service (DoS) attack disrupts access to a host, typically by flooding it with requests. To prevent interruptions to your Code42 environment, the Code42 server uses a denial-of-service filter (DoSFilter) to stop requests that exceed a defined threshold. When the Code42 server detects a DoS attack, the filter:

  • Delays processing of requests
  • Logs excessive request activity

This article describes the various Code42 DoSFilter properties and provides instructions for administrators to change the default values.

Denial-of-service filter (DoSFilter)

A high number of requests in a brief time span can originate either from a malicious denial-of-service attack, or from a valid, yet problematic device within your Code42 environment. The Code42 server DoSFilter tracks the number of requests from each source. It identifies sources as authenticated users, or by IP address or session ID.

The DoSFilter keeps track of the number of requests from a source per second. By default, the filter delays requests that exceed the limit of 40 per second and modifies the response headers to indicate the delayed responses. The filter gives first priority to authenticated users, then to connections identified by IP addresses. Unidentified connections have the lowest priority.

When the rate limit is exceeded, the filter writes a WARN level log message to the com_backup42_app.log server log file found in your server log directory. The WARN level log messages are labeled DOS ALERT and display one of the following formats:

DOS ALERT: Request delayed={}ms, ip={}, session={}, user={}
DOS ALERT: Request throttled ip={}, session={}, user={}
DOS ALERT: Request rejected ip={}, session={}, user={}
DOS ALERT: Request timed out uri={}, timeout={}, ip={}, session={}, user={}

Dos alert warning messages
DOS ALERT log messages do not necessarily mean your Code42 server is under attack, but rather, that usage exceeds the configured rate limits. This may be appropriate for short periods of time for legitimate reasons. To avoid false positives, adjust the properties below as appropriate for your Code42 environment. For example, whitelisting specific source IPs may reduce unnecessary log messages.

The DoSFilter provides a set of properties that you can use to tune the filter. The c42.http.dosfilter.maxRequestsPerSec property sets the maximum rate of requests per second from the same source. The default value is 40. Once that rate limit is exceeded, DOS ALERT messages are logged and requests are throttled. By default, subsequent requests from the same source are each delayed by at least 100 milliseconds (per the c42.http.dosfilter.delayMs property) and sent to the back of the priority queue, while other requests are serviced first.

You can tune these and other Code42 DoSFilter properties to change the response to high request rates.

Configure DoSFilter properties

From the Code42 administration console command line interface, use the prop.set command to configure DoSFilter properties:

  1. Sign in to the administration console.
  2. Double-click the logo in the upper-left corner of the administration console.
    The command-line interface appears.
  3. Enter theprop.setcommand followed by the property name and value in this format (see below for complete list of available properties):

prop.set c42.http.dosfilter.<propertyName> <value> save all

Replace <propertyName> with the name of the DoSFilter property, and replace <value> with the value to set for that property.

Overwrite values
If you set a new value with a prop.set command, it overwrites any existing value.
  1. To verify a setting's value, enter the prop.show command:

prop.show c42.http.dosfilter.<propertyName>

The current value for the setting is displayed.

Prop.show does not report default values
Until you set a property, the default values are in effect, and the corresponding prop.show command returns null.

Code42 DoSFilter properties

To tune the DoSFilter implementation, you can configure the following Code42 properties with the Code42 prop.set command.

DoSFilter property settings do not prevent or resolve attacks
Although these settings can help mitigate denial-of-service attacks, they cannot prevent or resolve them. Distributed denial-of-service attacks are difficult to resolve and often require specific remediation at the network level with the cooperation of network service providers.

c42.http.dosfilter.delayMs

Set the request processing delay time in milliseconds for those requests that exceed the rate limit set by the c42.http.dosfilter.maxRequestsPerSec property. To immediately reject requests that exceed the rate limit rather than simply delaying their processing, you can set the value for this property to -1.

Default value: 100

c42.http.dosfilter.enabled

The value true or false enables or disables the entire DoSFilter.

Default value: true

c42.http.dosfilter.insertHeaders

Include header messages to identify delayed or rejected requests. For delayed requests, the header says "DoSFilter: delayed." For rejected requests, the header says "DoSFilter: unavailable" and the response code is 429.

Default value: true

c42.http.dosfilter.ipWhitelist

Define a comma-delimited list of IP addresses. If a source IP is in that list, the request is allowed regardless of other settings.

Default value: (empty)

c42.http.dosfilter.maxIdleTrackerMs

Define the time in milliseconds to keep connection records before the connection is considered closed and the record discarded.

Default value: 30000

c42.http.dosfilter.maxRequestMs

Define the time in milliseconds that a request is allowed to execute before it times out and is not serviced. This prevents requests from invoking long-running operations that consume excessive resources on the server side. This limit does not apply to requests allowed by the c42.http.dosfilter.multipartFormUpload.maxRequestMsproperty.

Default value: 30000

c42.http.dosfilter.maxRequestsPerSec

Set the maximum number of requests allowed in a second. When a source exceeds this rate, the Code42 server applies the configured DoSFilter mitigation.

Default value: 40

c42.http.dosfilter.multipartFormUpload.maxRequestMs

Define the time in milliseconds that POST requests with a content type of multipart/form-data are allowed to execute before they time out and are not serviced. This prevents uploads taking too much time and consuming excessive server resources.

Default value: 1800000

c42.http.dosfilter.remotePort

When this property is true andc42.http.dosfilter.trackSessionsis false, track requests by the source IP address and port, not just the IP address.

Default value: false

c42.http.dosfilter.throttleMs

Define the time in milliseconds that requests can wait in queue before they are rejected.

Default value: 3000

c42.http.dosfilter.throttledRequests

Define the number of requests over the rate limit able to be considered at once. Exceeding this number means that additional requests received are not serviced and are rejected.

Default value: 5

c42.http.dosfilter.trackSessions

If possible, define the source of a request by its session ID, rather than its IP address.

Default value: true

External resources

  • Was this article helpful?