topic Re: DOS profile for critical servers in General Topics

DOS profile for critical servers

shafi021 — Mon, 10 Aug 2020 14:49:23 GMT

Hi Guys,

I want to create the DOS profile for critical servers. I read that I can use classified type so connection count toward only one IP address.

My question is can I add multiple servers IPs in same DOS Rule or I need to create multiple DOS rules. Also, I might need to tune threshold base on servers so is it better to create new DOS rule?

If I use same DOS rule then connection count will still be per destination IP or will it act like aggregate to all the Destination IPs ?

Re: DOS profile for critical servers

shafi021 — Mon, 10 Aug 2020 14:54:02 GMT

@OwenFuller @BPry when I tried to answer on my RFC1918 post, I am not able to do that. It is giving me Error. Thanks Owen and BPry, yes, we are using Public IP addresses and it is just my manager want to implement to have better security to block private IP block from public zone.

Also, can you please look into my DOS profile rule question. Thanks for the help and support.

Thank you.

Re: DOS profile for critical servers

BPry — Mon, 10 Aug 2020 15:08:06 GMT

@shafi021,

My question is can I add multiple servers IPs in same DOS Rule or I need to create multiple DOS rules. Also, I might need to tune threshold base on servers so is it better to create new DOS rule?

You can add multiple IPs to the same DoS rulebase entry, but keep in mind that you can only have one aggregate and one classified profile assigned to the entry. So if you have multiple public resources servicing for example DNS services, I would generally only make one entry. That entry would have an aggregate and a classified rulebase entry that has been fined tuned for that service.

If I use same DOS rule then connection count will still be per destination IP or will it act like aggregate to all the Destination IPs ?

So this actually depends on how you setup the entry. An aggregate profile would effect every destination in that rule. Classified can take into account specific destination IPs which would be limited to the destination address instead of aggregated across the entry matched rulebase entry.

Just in general, I would never configure a DOS Protection rulebase entry to service multiple different services. If you have a public Exchange server I would want to see a separate entry for Exchange, likewise I would create a separate entry for public web resources or VPN appliances.

You want to have your DoS profiles (aggregate and classified) as specific as you can get them to allow them to actually do their job. You can't really do that if you have the same profile protecting a wide array of services.

The only caveat that would come into play is on smaller platforms where you have the potential of running into object limits on the DoS profiles. That's the only time where I start recommending people group like services into the same profile. So maybe instead of having a separate profile for each web service we go down to a generic "Public Websites" type of profile; but if your platform is capable of supporting a profile for each public service, there's no reason not to fully utilize that capability.

Re: DOS profile for critical servers

kh-rohit — Mon, 10 Aug 2020 19:00:05 GMT

TEST 2