Attack Detection failure-limits are exceeded very frequently

book

Article ID: 168276

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Clients are often placed on the attack-detection block list due to high failure limits.

Cause

Starting with SGOS 6.5.x, any HTTP response with 4XX (except 401 and 407) and 5XX will be considered a failure. This count will be increased for any policy_denied request which is actually an HTTP Response code of 403.
 

Resolution

The solution for this is to avoid counting 403 as a failure OR keep a higher failure limit in the attack-detection configuration. The sample policy below bypasses 403 as a failure count.

<Proxy>
http.response.code=403 attack_detection.failure_weight(0) ;This rule disables attack detection when the proxy receives a 403 HTTP message from the destination server.

<exception>
exception.id=policy_denied attack_detection.failure_weight(0) ;This rule
disables attack detection for the requests where the proxy will send the policy denied exception.

Note: If a user defined exception is being used instead of the default policy denied exception, you must replace the exception id "policy_denied" with the following: "user_defined.exception_name" where exception_name is the name of the desired custom exception.