HP-UX IPFilter Version 17 Administrator's Guide

5 Configuring and Loading Dynamic Connection Allocation

(DCA) Rules

This chapter describes Dynamic Connection Allocation (DCA). DCA helps protect and mitigate

against DOS attacks where an attacker attempts to overload a system with TCP connection

requests. DCA uses stateful packet inspection to limit the number of incoming TCP connections

to a system.

This chapter describes DCA keywords and syntax. It also contains procedures for changing DCA

rules dynamically and setting DCA mode at startup.

NOTE: On HP-UX 11i v1 systems, DCA is not supported with IPv6 addresses.

This chapter contains the following sections:

• “DCA with HP-UX IPFilter” (page 52)

— “Overview: DCA Functionality” (page 52)

• “DCA Rules Configuration Files” (page 52)

• “DCA Rule Syntax and Keywords” (page 53)

— “DCA Rule Conditions” (page 53)

— “keep limit: Limiting Connections” (page 53)

— “return-rst: Returning RESET Packets” (page 54)

— “cumulative: Limiting Cumulative Connections” (page 54)

— “log limit: Logging Exceeded Connections” (page 54)

— “log limit freq: Log Frequency ” (page 55)

• “Loading and Modifying DCA Rules” (page 57)

— “Updating keep limit Rules” (page 57)

— “Adding New keep limit Rules” (page 58)

— “Integrating keep limit Rules” (page 58)

— “Extracting an Individual Rule from a Subnet Rule” (page 59)

• “Enabling and Disabling DCA” (page 60)

— “Enabling and Disabling DCA Using ipf” (page 60)

— “Configuring IPFilter to Enable DCA at System Startup Time” (page 60)

• “Using IPFilter Utilities with DCA” (page 60)

— “keep limit Rules and Rule Hits” (page 61)

• “Monitoring and Allocating Memory for DCA Data” (page 62)