Alteon Application Switch Operating System Application Guide
Advanced Denial of Service Protection
612 Document ID: RDWR-ALOS-V2900_AG1302
• UDP and ICMP Rate Limiting—Counts all received packets from a client and compares
against the configured maximum threshold. When the maximum configured threshold has been
reached before the time window expires, Alteon drops until the configured holddown period
expires. For more information, see UDP and ICMP Rate Limiting, page 613
.
Time Windows and Rate Limits
A time window is a configured period of time, in seconds, during which packets are allowed to be
received. A rate limit is defined as the maximum number of TCP connection requests (for TCP rate
limiting), or the maximum number of UDP or ICMP packets, that have been received from a
particular client within a configured time window.
• When the fastage value is configured, the total desired timewin is in seconds and the total
desired holddur is in minutes. Alteon determines the multiple. For more information on these
values, see the Alteon Application Switch Operating System Command Reference. The total time
window is the outcome of the timewin value multiplied by the fastage value.
• When the holddown is not triggered, the session time limit value starts with the total time
window and it is decremented by one second until the value is zero (0). When the value is zero,
the session time limit value resets to the next total time window value.
• When the holddown is triggered, the session time limit starts with holddown time, and it is
decremented after every x minutes, where x = 2 * 2^slowage.
Holddown Calculation
hold_down = holddur X slowage_time
where
• holddur = the value entered using
/cfg/slb/filt <filter number> /adv/security/
ratelim/holddur
• slowage_time = 2 X 2^slowage
Time Window Calculation
Total_time_window = timewin X 2^(-x)
where x is the fastage value. By default, the fastage value is 0.
Holddown Periods
Alteon monitors the number of new TCP connections (for TCP rate limiting) or UDP/ICMP packets
received (for UDP/ICMP rate limiting). When the number of new connections or packets exceeds the
configured limit, any new TCP connection requests or UDP/ICMP packets from the client are blocked.
When blocking occurs, the client is said to be held down. The client is held down for a specified
number of minutes, after which new TCP connection requests or packets from the client are allowed
once again to pass through.
Note: The time window and hold duration can be configured individually on a per-filter basis.
The holddown period is a multiple of the slowage and holddur values. For more information about
these values, see the Alteon Application Switch Operating System Command Reference. The total
holddown period is the result of the holddur value multiplied by the slowage value.
To Next Page
Loading...
Need help?
General