Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
14 ServerIron ADX Security Guide
53-1002440-03
Transaction Rate Limit (TRL)
1
Syntax: trl {default | { <client-IPv4> <client-mask> | <client-IPv6> <prefix> } {exclude |
monitor-interval
<monitor-value> conn-rate <connection-value> hold-down-time <hold-down-value>}}
default - Specifies default transaction rate limit parameter.
<client-IPv4> - Specifies IPv4 client subnet and <client-mask> - Specifies the IPv4 client mask.
<client-IPv6> - Specifies IPv6 client subnet and <prefix> - Specifies the IPv6 client mask bits.
exclude - Specifies to exclude the prefix from transaction rate limit.
monitor-interval - Specifies time interval for monitoring in 100ms.
<monitor-value> - Specifies value of time interval for monitoring.
conn-rate - Specifies connection rate.
<connection-value> - Specifies value of connection rate for client.
hold-down-time - Specifies time for holding down source.
<hold-down-value> - Specifies hold down time in minutes.
Command modes
Global configuration mode.
Global TRL
If TRL per client subnet is not needed, Global TRL can be used to create a configuration to apply to
all the incoming traffic.
Use ip [tcp | udp | icmp] trans-rate to enable TRL on the ServerIron for TCP, UDP, or ICMP traffic. If
any more than a specified number packets per second come from the same IP address over a
specified interval, then all traffic from that IP address is held down for a specified number of
minutes.
Syntax: [no] ip [tcp | udp | icmp] trans-rate monitor-interval <interval> conn-rate <rate>
hold-down-time <minutes>
monitor-interval <interval> Amount of time used to measure incoming traffic. This parameter is
specified in increments of 100ms. For example, to measure traffic over a 1 second interval, you
would specify 10 for this.
conn-rate <rate> Threshold for the number of connections per second from any one IP address.
Traffic exceeding this rate over the specified interval is subject to hold down.
hold-down-time <minutes> Number of minutes that traffic from an IP address that has sent
packets at rate higher than the configured threshold is to be held down.
Example
ServerIronADX(config)# ip tcp trans-rate monitor-interval 600 conn-rate 100
hold-down-time 5
This command configures the ServerIron to monitor incoming TCP traffic. If more than 100 TCP
connections per second arrive from the same IP address over a 60-second interval (600 X 100ms),
then all TCP traffic from that IP address is held down for 5 minutes.
To apply TRL to TCP traffic coming into port 80 on interface 1/1.