Rate limiting : DoS prevention : Configuring network-layer DoS protection : Limiting TCP connections per IP address
 
Limiting TCP connections per IP address
You can limit the number of fully-formed TCP connections per source IP address. This effectively prevents TCP flood-style denial-of-service (DoS) attacks.
TCP flood attacks exploit the fact that servers must consume memory to maintain the state of the open connection until either the timeout, or the client or server closes the connection. This consumes some memory even if the client is not currently sending any HTTP requests.
Normally, a legitimate client will form a single TCP connection, through which they may make several HTTP requests. As a result, each client consumes a negligible amount of memory to track the state of the TCP connection. However, an attacker will open many connections with perhaps zero or one request each, until the server is exhausted and has no memory left to track the TCP states of new connections with legitimate clients.
This feature is similar to DoS Protection > Application > Malicious IPs. However, this feature counts TCP connections per IP, while Malicious IPs counts TCP connections per session cookie.
It is also similar to DoS Protection > Network > Syn Cookie. However, this feature counts fully-formed TCP connections, while Syn Cookie counts partially-formed TCP connections.
FortiWeb counts the TCP connections. If a source IP address exceeds the limit, FortiWeb executes the Action for that client.
To configure a TCP connection flood limit
1. Go to DoS Protection > Network > TCP Flood Prevention.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “Permissions”.
2. Click Create New.
A dialog appears.
3. Configure these settings:
Setting name
Description
Name
Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
TCP Connection Number Limit
Type the maximum number of TCP connections allowed with a single source IP address.
The valid range is from 0 to 65,535. The default is 0.
Action
Select which action the FortiWeb appliance will take when it detects a violation of the rule:
Alert — Accept the request and generate an alert email and/or log message.
Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. See “Customizing error and authentication pages (replacement messages)”.
Period Block — Block subsequent requests from the client for a number of seconds. Also configure Block Period.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. See “Customizing error and authentication pages (replacement messages)”.
Tip: For improved performance during a confirmed DDoS, select this option. Attackers participating in the DoS will then be blocked at the IP layer, conserving FortiWeb resources that would otherwise be consumed by scanning each attacker’s request at the HTTP layer, compounding the effects of the DDoS.
The default value is Alert.
Caution: This setting will be ignored if Monitor Mode is enabled.
Note: Logging and/or alert email will occur only if enabled and configured. See “Logging” and “Alert email”.
Note: If you will use this rule set with auto-learning, you should select Alert. If Action is Alert & Deny, or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the interruption will cause incomplete session information for auto-learning.
Block Period
Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.
This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 (1 hour). The default value is 0. See also “Monitoring currently blocked IPs”.
Severity
When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:
Low
Medium
High
The default value is Medium.
Trigger Action
Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See “Configuring triggers”.
4. Click OK.
5. Group the rule in a DoS protection policy (see “Grouping DoS protection rules”) that is used by a protection profile.
Attack log messages contain DoS Attack: TCP Flood Prevention Violation when this feature detects a TCP connection flood. See also “Log rate limits”.
Example: TCP flood prevention
Assume you set 10 as the limit. A client opens 15 TCP connections. Each connection has a different source port. The FortiWeb appliance counts all connections as part of the same source IP and blocks the connections because they exceed the limit.
See also
Limiting TCP connections per IP address by session cookie
Preventing a TCP SYN flood