Personal tools

Attack Blocker FAQs

From UntangleWiki

Jump to: navigation, search
[edit]

How does it work?

Attack Blocker tracks traffic from all hosts (IP addresses). The number of connections and the volume of data are monitored. If a given host is significantly more active than others, its reputation increases. Reputation is expressed as a number on a relative scale. Large reputation numbers indicate that a given host is consuming more resources (more connections, more bytes transferred) than its peers.

As the load on an Untangle Server increases, it may not have enough resources to service all requests. Rather than slow everyone down, the Attack Blocker takes action against hosts with the largest reputation numbers. In this way, hosts that hog all the bandwidth are allocated fewer resources while other less demanding hosts experience no change in service and performance levels. There are three actions that the Attack Blocker can take against hosts with large reputation numbers.

[edit]

Attack Blocker Actions

  • Limited. Attack Blocker limits a host's access to resources inside the protected networks. The limited host experiences a mild slowdown in network performance.
  • Dropped. Attack Blocker causes a host's traffic to be dropped, slowing down traffic greater than if the traffic was simply limited.
  • Rejected. Attack Blocker rejects a host's traffic for a given session, temporarily preventing the host from accessing the protected networks.

By using reputation numbers to allocate resources, the Attack Blocker protects a network from Denial of Service attacks. When a host attempts to flood a network protected by the Untangle Server, the attacking host's reputation number increases so that the host moves from experiencing a limited slowdown to being denied access to protected resources.

The action that the Untangle Server takes depends on the reputation of the offending host. The action of rejecting the host completely is extreme, so Attack Blocker walks a fine line between allowing hosts to be active (such as a heavily loaded email server) and shutting down a host's session that is threatening to bring down your network. However, if the Attack Blocker determines that a host's activity is threatening your network, it will reject that host's session. In most cases, limiting the host and dropping the host's packets is enough to protect your network.

The Attack Blocker does not have any settings for sanitizing packets, but does have a setting to specify a host that is treated differently than its peers in terms of reputation calculation. This administrative setting is explained in Exceptions.

[edit]

If I have a single big machine (database, file server, print server, etc) and another smaller server. Will my big machine develop a bad reputation?

The reputation for the big machine will be higher than the small machine. In a normal deployment this should not be a concern, as the Untangle Server should not be limited in its overall resources. If slowdown under heavy load is a concern, the big machine can have its reputation calculated differently as discussed in How does it work?

Retrieved from "http://wiki-beta.untangle.com/index.php/Attack_Blocker_FAQs"