Issue
How does the DOS protection engine works either on Imunify360 alone or with CSF integration enable?
Environment
- Imunify360
- CSF integration, optionally.
Solution
DOS Protection works by counting connections from each remote IP address per local port separately.
To enable this feature, run the following command:
imunify360-agent config update '{"DOS": {"enabled": true}}'
The mechanism looks at the ESTABLISHED TCP status, any other TCP status will be ignored and won't be computed and bumped to Imunify360 DOS internal stats.
All ports are covered, but connections are counted for each port individually.
How does it work when CSF is fully disabled?
In this scenario, Imunify360 is used as a firewall and the built-in DOS protection at the TCP level is enabled. By default, if there are 250 connections from the same origin, the IP is graylisted, and therefore the WebShield will handle the connections and show a captcha challenge subsequent requests. From here, all requests are blocked until the client passes the challenge or the TTL is reached.
For example, the command below will get only connections that have ESTABLISHED status with the server, on the port that is being attacked for incoming connections:
# ss -o state established '( sport = :443 or sport = :22 )' | \
awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr |grep -v Address
This command shows the list of remote IPs and the number of connections from them that matches the defined ports. When the limit reaches the DOS.default_limit, the IP will be added to the graylist.
You can find details about DOS.default_limit at https://docs.imunify360.com/config_file_description/#config-file-description
How does it work when CSF integration is enabled?
To enable this feature, run the following command:
# imunify360-agent config update '{"CSF_INTEGRATION": {"catch_lfd_events": true}}'
Imunify360 engine looks at the CSF_INTEGRATION.catch_lfd_events, therefore the events exposed by CSF are used as the source for blocking IPs. It works harmoniously with Imunify avoiding conflicts with firewall rules, also keeping cooperation with other attack-mitigation subsystems and heuristics.
How does it work when only CSF is enabled and the integrations are NOT enabled?
To disable this feature, run the following command:
# imunify360-agent config update '{"CSF_INTEGRATION": {"catch_lfd_events": false}}'
In this scenario, CSF is used as a firewall. There is no DOS protection at the TCP level at least from Imunify360. In this scenario, you should refer to the official documentation from CSF at https://configserver.com/cp/csf.html.
Useful links
Comments
0 comments
Please sign in to leave a comment.