Manualshelf

HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
DCA with HP-UX IPFilter
An HP-UX IPFilter system can act as a secure intermediary, tracking all incoming TCP connections
to a system or network. DCA lets you limit incoming TCP connections passing through an IPFilter
system. You can use DCA to limit the number of inbound connections based on the source IP
address and optionally, the destination TCP port number. After a legal TCP connection is
established, DCA uses TCP state information to allow subsequent packets for the connection to
pass.
NOTE: To use DCA functionality, you must explicitly enable DCA mode. For more information,
see “Enabling and Disabling DCA” (page 52). DCA functionality does not work if DCA mode
is not enabled.
DCA uses IPFilter state table entries. To function correctly, you must have sufficient memory
allocated for the IPFilter state table. See “Monitoring and Allocating Memory for DCA Data”
(page 54).
Overview: DCA Functionality
DCA provides a set of flexible rules for controlling incoming TCP connections. You allocate a
number of TCP connections to a system using the keywords keep limit and specifying a limit
value. The limit value is the number of concurrent TCP connections that can be established by
any given source.
You can configure DCA rules to limit the number of connections from:
A specific IP address.
Each IP address in an IP subnet or IP address range.
An IP subnet or IP address range where all the IP addresses in the subnet share the cumulative
limit.
Unknown IP addresses, where each unknown IP address has a connection limit.
When the configured limit is reached, IPFilter discards any additional connection requests. You
can configure HP-UX IPFilter to send a TCP Reset packet when it discards a connection request.
See “return-rst: Responding to Blocked TCP Packets” (page 32) for more information.
Using DCA
DCA helps protect systems from floods of TCP connections created by DoS attacks. For example,
you can use DCA to:
Protect a mail server from a flood of SMTP connection requests. IP addresses or subnets that
are trying to overload the SMTP server can be slowed down. At the same time, known users
can be given unlimited connection limits. This ensures that customers and partners can still
access the mail server while attackers are prevented from consuming resources.
Protect an LDAP server from a flood of bogus SSL connection requests or other types of
connection requests used to overload the LDAP server.
DCA Rules Configuration Files
You can configure DCA rules in the same file as IPv4 or IPv6 filter rules. The default IPv4 filter
rules file is/etc/opt/ipf/ipf.conf, and the default IPv6 filter rules file is /etc/opt/ipf/
ipf6.conf. See “IPv4 Filter Rules Configuration File” (page 20) and “IPv6 Filter Rules
Configuration File” (page 37) for more information.
44 Configuring and Loading Dynamic Connection Allocation (DCA) Rules