How Attack-detection works on the ProxySG appliance

book

Article ID: 165790

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The following is a detailed description of attack-detection behavior.

Resolution

The ProxySG appliance attack detection feature limits attacks based on connection limit and number of failures:

  1. If the number of failures exceed the configured failure limit, the ProxySG sends warnings to the client. Subsequently, if the number of warnings exceed the configured warning limit, the ProxySG changes the client to blocked state. The client is blocked for the configured unblocking time, and new connections will pass only after that configured time period or is manually unblocked. (Failed requests, by default, include various HTTP response failures such as 4xx client errors (excluding 401 and 407) and 5xx server errors. The HTTP responses that you want treated as failure can be so designed by creating policy.)
  2. If the number of connections from a client exceed the connection limit, further connections from that client are not passed (a type of blocked state). If one of the connections is closed, the client goes below the configured limit, and the next connection from that client is passed through.

The best ways to check whether or not a client is blocked is by going to the following advanced url's:

https://x.x.x.x:8082/TCP/users
https://x.x.x.x:8082/ADN/blocked-clients
 
Make sure the event log covers the time the problem was observed.  Search for the following strings:
has exceeded
has exceeded failure limit
has exceeded warning limit and is now blocked