Clients are being blocked by Attack Detection after upgrading to SGOS 6.5
Article ID: 165343
Updated On:
Products
Issue/Introduction
When performing an upgrade from 6.4 to 6.5, Attack Detection blocks is blocking more clients than it used to.
Cause
The clients are blocked because they are hitting the ADP 'failure' limit.
There may be some kind of application on the client machines that cause a lot of 403 responses from the proxy. These 403 responses count towards the failure limit. Each failure request event adds a count of one failure by default.
There was no issue in 6.4 because there are some changes in ADP in 6.5. Refer to the SGOS Administration Guide for more details.
SGOS 6.4.x - Default failure limit
Failed requests are defined as follows:
- Connection failures: This includes DNS lookup errors, connection refused, connection timed out, host unreachable, and similar.
- HTTP response codes returned to the client: 501 (Not Implemented), 502 (Bad Gateway), 503 (Service Unavailable) or 504 (Gateway Timeout)
SGOS 6.5.x - Default failure limit
Failed requests are defined as follows:
- Connection failures: This includes DNS lookup errors, connection refused, connection timed out, host unreachable, and similar.
- 4xx (excluding 401 and 407) and 5xx HTTP response codes returned from the ProxySG or the Origin Content Server.
Resolution
To not count 403 responses from servers as failure, we can add the following CPL into the local policy file.
<Proxy>
http.response.code=403 attack_detection.failure_weight(0)
To not count 403 responses from the proxy as failure, we can add the following CPL into the local policy file.
<exception>
exception.id=policy_denied attack_detection.failure_weight(0)
Note: If a user defined exception is being used instead of the default policy denied exception, you must replace the exception id "policy_denied" with the following: "user_defined.exception_name" where exception_name is the name of the desired custom exception.
Feedback
