Like many of you, we only allow authenticated access through the MWG. (well that's for the majority of URLs, with a list of exceptions, of course).
The MWG's sometimes get hammered with an outburst of unauthenticated requests.
For one reason those may be wrongly configured scripts from our developers (don't get me started ...).
Another reason can be the occasional Nokia Suite which - when unconfigured for authenticated proxy usage - will virtually swamp the MWG in requests (up to a few hundred req's per second).
This can lead to a growing number of unauthenticated requests in the queue and a kind of DOS situation where valid users can't be authenticated against the AD anymore.
Users then get the authentication window and get annoyed big time (we've been there...).
Sometimes, when (if) we see the shebang hitting the fan, we manually block the user's IP address with a special rule very early on in the policy.
Now I'd like to initiate that block somehow automatically...
So, what I imagine is a rule with a kind of threshold up to which unauthenticated requests can occur (e.g. 1000 req's during 2 minutes).
As soon as this threshold is being broken, the requesting machine would be blocked from any further MWG usage, and being presented with the block page.
I could imagine filling a UserDefined property with the user's IP address and a counter for unauthenticated requests from that IP address.
The block rule would initiate the block depending on the counter, and reset the block/counter after a certain time.
SO here's my question: before I go ahead and try to code something like this, I'd like to ask you, the community, if you already have something like that and if you're willing to share it here??
Even if youre not willing/allowed to share the code, maybe you can share some thoughts on the story above and on your solution for the problem?
Thanks a bunch!
BTW: we're on 7.4.1 in case that matters.
Nachricht geändert durch oliver.huf on 26.03.14 11:29:06 CDT
Nachricht geändert durch oliver.huf on 26.03.14 11:31:07 CDT