beautypg.com

Threshold rules, Overview, Connection rate/total connection limiting – D-Link DFL-2500 User Manual

Page 279: Grouping, Rule actions, Section 10.2, “threshold rules

background image

10.2. Threshold Rules

10.2.1. Overview

The objective of a Threshold Rule is to have a means of detecting abnormal connection activity as
well as reacting to it. An example of a cause for such abnormal activity might be an internal host
becoming infected with a virus that is making repeated connections to external IP addresses. It
might alternatively be some external source trying to open excessive numbers of connections. (A
"connection" in this context refers to all types of connections, such as TCP, UDP or ICMP, tracked
by the NetDefendOS state-engine).

The Threshold Rule feature is available on the D-Link DFL-800 / 1600 / 2500 only.

A Threshold Rule is like a normal policy based rule. A combination of source/destination
network/interface can be specified for a rule and a type of service such as HTTP can be associated
with it. Each rule can have associated with it one or more Actions which specify how to handle
different threshold conditions.

A Threshold has the following parameters:

Action - The response to exceeding the limit: either Audit or Protect

Group By - Either Host or Network based

Threshold - The numerical limit which must be exceeded to trigger a response

Threshold Type - Limiting connections per second or limiting total number of concurrent
connections

These parameters are described below:

10.2.2. Connection Rate/Total Connection Limiting

Connection Rate Limiting allows an administrator to put a limit on the number of new connections
being opened to the D-Link Firewall per second.

Total Connection Limiting allows the administrator to put a limit on the total number of connections
opened to the D-Link Firewall. This function is extremely useful when NAT pools are required due
to the large number of connections generated by P2P users.

10.2.3. Grouping

The two groupings are as follows:

Host Based - The threshold is applied separately to connections from different IP addresses.

Network Based - The threshold is applied to all connections matching the rules as a group.

10.2.4. Rule Actions

When a Threshold Rule is triggered one of two responses are possible:

Audit - Leave the connection intact but log the event

Protect - Drop the triggering connection

Logging would be the preferred option if the appropriate triggering value cannot be determined
beforehand. Multiple Actions for a given rule might consist of Audit for a given threshold while the
action might become Protect for a higher threshold.

10.2. Threshold Rules

Chapter 10. Traffic Management

279