Manualshelf

HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
31323334353637383940
5 Configuring and loading dynamic connection allocation
(DCA) rules
5.1 DCA with HP-UX IPFilter
An HP-UX IPFilter system can act as a secure intermediary, tracking all incoming TCP connections
to a system or network. DCA lets you limit incoming TCP connections passing through an IPFilter
system. You can use DCA to limit the number of inbound connections based on the source IP
address and optionally, the destination TCP port number. After a valid TCP connection is established,
DCA uses TCP state information to allow subsequent packets for the connection to pass.
NOTE: To use DCA functionality, you must explicitly enable DCA mode. For more information,
see Section 5.10 (page 40). DCA functionality does not work if DCA mode is not enabled.
DCA uses IPFilter state table entries. To function correctly, you must have sufficient memory allocated
for the IPFilter state table. See Section 5.12 (page 41).
NOTE: On HP-UX 11i v1 systems, DCA is not supported with IPv6 addresses.
5.1.1 DCA functionality overview
DCA provides a set of flexible rules for controlling incoming TCP connections. You allocate a
number of TCP connections to a system using the keywords keep limit and specifying a limit
value. The limit value is the number of concurrent TCP connections that can be established by any
given source.
You can configure DCA rules to limit the number of connections from:
A specific IP address
Each IP address in an IP subnet or IP address range
An IP subnet or IP address range where all the IP addresses in the subnet share the cumulative
limit
Unknown IP addresses, where each unknown IP address has a connection limit
When the configured limit is reached, IPFilter discards any additional connection requests. You
can configure HP-UX IPFilter to send a TCP Reset packet when it discards a connection request.
See Section 3.6.1 (page 26) for more information.
5.1.1.1 Using DCA
DCA helps protect systems from floods of TCP connections created by DoS attacks. For example,
you can use DCA to:
Protect a mail server from a flood of SMTP connection requests. IP addresses or subnets that
are trying to overload the SMTP server can be slowed down. At the same time, known users
can be given unlimited connection limits. This ensures that customers and partners can still
access the mail server while attackers are prevented from consuming resources.
Protect an LDAP server from a flood of bogus SSL connection requests or other types of
connection requests used to overload the LDAP server.
5.2 DCA rules configuration files
You can configure DCA rules in the same file as IPv4 or IPv6 filter rules. The default IPv4 filter rules
file is/etc/opt/ipf/ipf.conf, and the default IPv6 filter rules file is /etc/opt/ipf/
ipf6.conf. See Section 3.1 (page 16) and Section 4.1 (page 31) for more information.
34 Configuring and loading dynamic connection allocation (DCA) rules