WebMux – Automatic Attack Detection and Flood Control

Product Tech Tips Index

What is the difference between WebMux’ Automatic Attack Detection (AAD) and the Flood Control feature?

The AAD feature deals with controlling the number of concurrent open TCP connections that come from the same IP. Depending on situation, it may be perfectly normal to get 50 concurrent connections coming from the same client. In some other situations, seeing more than 5 concurrent connections might be unusual. It may require some other means of network analysis (outside of the WebMux) to help you determine what the normal activity it for your environment. Or you can refer to you server’s actual resource limits and set AAD TCP connection threshold to a value under the servers real limits for concurrent connections as a safeguard against server overload. AAD helps safeguard for situations where an attacker from a single IP can open so many TCP connections and leave them open that the farm can no longer accept any new connections.

It is still possible for an attacker, using a few concurrent TCP connections that are below the AAD TCP connection limit, to generate such a tremendous amount of packets that servers run out of resource to process them and severely disrupt service. That is where the Flood Control feature comes in. Flood Control deals with limiting the allowable packet rate from a single IP. The “Packet Rate” setting can also be understood as a limit on the allowable average number of packets per second and “Packet Threshold” can be understood as the limit on the number of instantaneous packets. Again, it may require network analysis outside of the WebMux to determine what your normal network activity is like in order to get the values that are appropriate for your environment. For example, if you know how many packets per second and packet bursts your servers are able to handle, you can set the Flood Control limits somewhere below those values in order to safeguard against server overload.