Configure denial-of-service filter settings
This article applies to version 6.
Available in:
Overview
A denial-of-service (DoS) attack disrupts access to a host, typically by flooding it with requests. To prevent interruptions to your Code42 environment, the Code42 server uses a denial-of-service filter (DoSFilter) to stop requests that exceed a defined threshold. When the Code42 server detects a DoS attack, the filter:
- Delays processing of requests
- Logs excessive request activity
This article describes the various Code42 DoSFilter properties and provides instructions for administrators to change the default values.
Denial-of-service filter (DoSFilter)
A high number of requests in a brief time span can originate either from a malicious denial-of-service attack, or from a valid, yet problematic device within your Code42 environment. The Code42 server DoSFilter tracks the number of requests from each source. It identifies sources as authenticated users, or by IP address or session ID.
The DoSFilter keeps track of the number of requests from a source per second. By default, the filter delays requests that exceed the limit of 40 per second and modifies the response headers to indicate the delayed responses. The filter gives first priority to authenticated users, then to connections identified by IP addresses. Unidentified connections have the lowest priority.
When the rate limit is exceeded, the filter writes a WARN level log message to the com_backup42_app.log server log file found in your server log directory. The WARN level log messages are labeled DOS ALERT and display one of the following formats:
DOS ALERT: Request delayed={}ms, ip={}, session={}, user={}
DOS ALERT: Request throttled ip={}, session={}, user={}
DOS ALERT: Request rejected ip={}, session={}, user={}
DOS ALERT: Request timed out uri={}, timeout={}, ip={}, session={}, user={}
DOS ALERT log messages do not necessarily mean your Code42 server is under attack, but rather, that usage exceeds the configured rate limits. This may be appropriate for short periods of time for legitimate reasons. To avoid false positives, adjust the properties below as appropriate for your Code42 environment. For example, whitelisting specific source IPs may reduce unnecessary log messages.The DoSFilter provides a set of properties that you can use to tune the filter. The c42.http.dosfilter.maxRequestsPerSec property sets the maximum rate of requests per second from the same source. The default value is 40. Once that rate limit is exceeded, DOS ALERT messages are logged and requests are throttled. By default, subsequent requests from the same source are each delayed by at least 100 milliseconds (per the c42.http.dosfilter.delayMs property) and sent to the back of the priority queue, while other requests are serviced first.
You can tune these and other Code42 DoSFilter properties to change the response to high request rates.
Configure DoSFilter properties
From the Code42 administration console command line interface, use the prop.set command to configure DoSFilter properties:
- Sign in to the administration console.
- Double-click the logo in the upper-left corner of the administration console.
The command-line interface appears. - Enter the
prop.setcommand followed by the property name and value in this format (see below for complete list of available properties):
prop.set c42.http.dosfilter.<propertyName> <value> save all
Replace <propertyName> with the name of the DoSFilter property, and replace <value> with the value to set for that property.
If you set a new value with a
prop.set command, it overwrites any existing value.- To verify a setting's value, enter the prop.show command:
prop.show c42.http.dosfilter.<propertyName>
The current value for the setting is displayed.
Until you set a property, the default values are in effect, and the corresponding
prop.show command returns null.Code42 DoSFilter properties
To tune the DoSFilter implementation, you can configure the following Code42 properties with the Code42 prop.set command.
Although these settings can help mitigate denial-of-service attacks, they cannot prevent or resolve them. Distributed denial-of-service attacks are difficult to resolve and often require specific remediation at the network level with the cooperation of network service providers.
c42.http.dosfilter.delayMs
Set the request processing delay time in milliseconds for those requests that exceed the rate limit set by the c42.http.dosfilter.maxRequestsPerSec property. To immediately reject requests that exceed the rate limit rather than simply delaying their processing, you can set the value for this property to -1.
Default value: 100
c42.http.dosfilter.enabled
The value true or false enables or disables the entire DoSFilter.
Default value: true
c42.http.dosfilter.insertHeaders
Include header messages to identify delayed or rejected requests. For delayed requests, the header says "DoSFilter: delayed." For rejected requests, the header says "DoSFilter: unavailable" and the response code is 429.
Default value: true
c42.http.dosfilter.ipWhitelist
Define a comma-delimited list of IP addresses. If a source IP is in that list, the request is allowed regardless of other settings.
Default value: (empty)
c42.http.dosfilter.maxIdleTrackerMs
Define the time in milliseconds to keep connection records before the connection is considered closed and the record discarded.
Default value: 30000
c42.http.dosfilter.maxRequestMs
Define the time in milliseconds that a request is allowed to execute before it times out and is not serviced. This prevents requests from invoking long-running operations that consume excessive resources on the server side. This limit does not apply to requests allowed by the c42.http.dosfilter.multipartFormUpload.maxRequestMsproperty.
Default value: 30000
c42.http.dosfilter.maxRequestsPerSec
Set the maximum number of requests allowed in a second. When a source exceeds this rate, the Code42 server applies the configured DoSFilter mitigation.
Default value: 40
c42.http.dosfilter.multipartFormUpload.maxRequestMs
Define the time in milliseconds that POST requests with a content type of multipart/form-data are allowed to execute before they time out and are not serviced. This prevents uploads taking too much time and consuming excessive server resources.
Default value: 1800000
c42.http.dosfilter.remotePort
When this property is true andc42.http.dosfilter.trackSessionsis false, track requests by the source IP address and port, not just the IP address.
Default value: false
c42.http.dosfilter.throttleMs
Define the time in milliseconds that requests can wait in queue before they are rejected.
Default value: 3000
c42.http.dosfilter.throttledRequests
Define the number of requests over the rate limit able to be considered at once. Exceeding this number means that additional requests received are not serviced and are rejected.
Default value: 5
c42.http.dosfilter.trackSessions
If possible, define the source of a request by its session ID, rather than its IP address.
Default value: true
External resources
- Denial-of-service attack (Wikipedia)