Flooding and Denial of Service Prevention

In a typical network connection, a computer "asks" a server to authenticate it, the server returns the authentication approval to the computer, the computer acknowledges this approval, and then the computer is allowed to connect to the server.

In a denial of service (DoS) attack, a computer sends multiple authentication requests to the server. All requests have false return addresses, so the server can't find the computer when it tries to send the authentication approval. When the server closes the connection, the DoS attacker sends a new batch of forged requests, and the process begins again, causing the server to be unavailable for legitimate connections.

A common method of blocking a DoS attack is to set up a filter on the network that looks for attacks by noticing patterns or identifiers contained in the information. If a pattern comes in frequently, the filter can be instructed to block messages containing that pattern, protecting the server from being overloaded by malicious attacks.

Attacks can be divided into three types:

EFT's Auto-Ban System

EFT's auto-ban system is intended to prevent possible DoS attack attempts, by identifying possible attacks based on user activity density (occurrences per second). The algorithm in context of each attack type has different implementations.

By default, all IP addresses are granted access to EFT. EFT allows you to grant access to only one specific IP address or a range of IP addresses, or deny access to one specific IP address or a range of IP addresses. EFT can automatically disconnect and even ban the IP addresses of computers who send an excessive number of invalid commands. (Refer to Disconnecting Users after a Defined Number of Invalid Commands.) You can configure EFT to ban IP addresses automatically that may potentially be associated with a DoS (Denial of Service) attack. EFT monitors connection patterns, tracks each computer's activity density, and then bans IP addresses with unnaturally dense activity. When EFT bans an IP address, it can ban it permanently (add it to the IP Access Restrictions list) or temporarily for a certain period of time.

Banning an IP address temporarily protects EFT from attacks. If EFT is correct and a temporarily banned IP address was the source of an attack, EFT will not be harmed by the attempted attack. EFT's resources will remain free or minimally burdened, instead of being completely bogged down by the attacking IP address. If you select to ban IP addresses temporarily, the IP address's access to EFT is restricted for a minute or two, based on the EFT security setting you select using the Auto-Ban Reliability slider bar.

Temporarily banning users means that if EFT identifies an ordinary but very active user as a threat, the user will soon be able to reconnect to the Site. When you ban IP addresses temporarily, the level of security you set for the slider indicates both the number of seconds the user can attempt to occupy all of EFT's resources before being banned and the number of seconds the user is banned. The higher the security, the less time before the user is banned and the longer the user remains banned.

The reason for a temporary ban is that attack identification is not fool proof and there can always be a chance of a mistake. If EFT is allowed to decide which IP address to ban, we risk that some users will be banned by mistake when it might not be appropriate to ban that user permanently.

If you elect to permanently ban the IP addresses of users whose activity fits the pattern of an attack, those users are immediately banned when they exceed the number of connections allowed for the security level (based on the slider setting). If EFT has banned a user to whom you want to allow access, you can delete it from the IP address ban list.

With the slider, you can set the Auto-ban reliability (security level) or turn auto ban off. The default is Medium.

EFT has predefined security levels that correlate to the slider values: Off, Very Low, Low, Medium, High, and Very High.

IP address policy changes are propagated to the DMZ Gateway whenever the policy is modified in the administration interface or by the auto-ban logic.

To activate auto-ban

  1. In the administration interface, connect to EFT and click the Server tab.

  2. On the Server tab, click the nose of the Site you want to configure.

  3. In the right pane, click the Connections tab.

  4. In the Network Usage and Security Settings area, next to Denial of Service settings, click Configure. The Anti-Flood/Hammer Settings dialog box appears.

  5. In the Flood/hammer auto-ban sensitivity level area, specify a sensitivity level using the slider bar.

  6. If you set the slider to Off, Very Low, or Low on a high-security-enabled Site, a message appears to warn you that this setting violates PCI DSS requirements related to securely configuring cardholder environments.

  7. Click a ban period:

  8. Click OK to close the dialog box.

  9. Click Apply to save the changes on EFT.

See also Disconnecting Users after a Defined Number of Invalid Commands and Controlling Access to the Site by IP Address.