1 Reply Latest reply on Mar 27, 2014 2:23 AM by feickholt

    Block access for (massively) unauthenticated machines

    oliver.huf

      Like many of you, we only allow authenticated access through the MWG. (well that's for the majority of URLs, with a list of exceptions, of course).

       

      The MWG's sometimes get hammered with an outburst of unauthenticated requests.

       

      For one reason those may be wrongly configured scripts from our developers (don't get me started ...). 

      Another reason can be the occasional Nokia Suite which - when unconfigured for authenticated proxy usage - will virtually swamp the MWG in requests (up to a few hundred req's per second).

       

      This can lead to a growing number of unauthenticated requests in the queue and a kind of DOS situation where valid users can't be authenticated against the AD anymore.

      Users then get the authentication window and get annoyed big time (we've been there...).

       

      Sometimes, when (if) we see the shebang hitting the fan, we manually block the user's IP address with a special rule very early on in the policy.

      Now I'd like to initiate that block somehow automatically...

       

      So, what I imagine is a rule with a kind of threshold up to which unauthenticated requests can occur (e.g. 1000 req's during 2 minutes).

      As soon as this threshold is being broken, the requesting machine would be blocked from any further MWG usage, and being presented with the block page.

       

      I could imagine filling a UserDefined property with the user's IP address and a counter for unauthenticated requests from that IP address.

      The block rule would initiate the block depending on the counter, and reset the block/counter after a certain time.

       

      SO here's my question: before I go ahead and try to code something like this, I'd like to ask you, the community, if you already have something like that and if you're willing to share it here??

       

      Even if youre not willing/allowed to share the code, maybe you can share some thoughts on the story above and on your solution for the problem?

       

      Thanks a bunch!

       

      Oliver.

       

      BTW: we're on 7.4.1 in case that matters.

       

      Nachricht geändert durch oliver.huf on 26.03.14 11:29:06 CDT

       

      Nachricht geändert durch oliver.huf on 26.03.14 11:31:07 CDT
        • 1. Re: Block access for (massively) unauthenticated machines
          feickholt

          I have a solution fo such problem. We use PDS to count and store requets for each client.

          If the number or requests/minute exceed a thershold the client is blocked for 15 minutes. It will receive a blocking page with the blocking reason and the client is able to remove the issue. Ohterwise it will be blocked again.

           

          If you have any questions.... :-)

           

           

           

           

          Count Request to same site (new using Blocking session)
          [CR 1309-8230-0 - 2013 09 17 created eick ]
          Enabled
          Applies to Requests: True / Responses: True / Embedded Objects: True
          Always
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
          EnabledRuleActionEventsComments
          EnabledAllow User to surf - the client is in allowed list.
          1:    Client.IP is in list GLB_UNBLOCK_BLOCKED_CLIENTS°
          Stop Rule SetPDStorage.AddUserData.Number("Request.url.Cnt.1min",0)<PDS Keep 30 days>
          PDStorage.AddUserData.String("Request.url.blocked.reason","none")<PDS Keep 30 days>
          CR 1309-8230-0 - 2013 09 17 created eick
          EnabledBlock User If Blocking Session Is Active
          1:    BlockingSession.IsBlocked<Blocking session 15 minutes> equals true
          Block<Blocking Session 2 many connects>Set User-Defined.Blocked.by =  "TOMANYREQUESTS"CR 1309-8230-0 - 2013 09 17 created eick
          EnabledManual blocked clients
          1:    Client.IP is in list GLB_TomanyRequestClients_Manualblocked°
          Stop CycleBlockingSession.Activate<Blocking session 15 minutes>CR 1309-8230-0 - 2013 09 17 created eick
          EnabledDo not block if URL is in List GLB_Domains_not_checked_for_request/sec
          1:    URL.Host.BelongsToDomains(GLB_Domains_not_checked_for_requests/sec) equals true
          Stop Rule Set
          CR 1309-8230-0 - 2013 09 17 created eick
          EnabledDefine Resume time
          Always
          ContinueSet User-Defined.Request.Resume =
                DateTime.ToNumber +
                PDStorage.GetUserData.Number("Request.url.Cnt.Date")<PDS Keep 30 days>
          CR 1309-8230-0 - 2013 09 17 created eick
          EnabledClear counter after 60 sec or url string does  not exists
          1:    User-Defined.Request.Resume greater than 60
          2:    OR PDStorage.HasUserData("Request.url.url")<PDS Keep 30 days> equals false
          Stop Rule SetPDStorage.AddUserData.Number("Request.url.Cnt.Date",DateTime.ToNumber)<PDS Keep 30 days>
          PDStorage.AddUserData.Number("Request.url.Cnt.1min",0)<PDS Keep 30 days>
          PDStorage.AddUserData.String("Request.url.url",URL)<PDS Keep 30 days>
          Set User-Defined.Request.Resume =  0
          CR 1309-8230-0 - 2013 09 17 created eick
          EnabledReset counter if url changed
          1:    PDStorage.GetUserData.String("Request.url.url")<PDS Keep 30 days> does not equal URL
          Stop Rule SetPDStorage.AddUserData.Number("Request.url.Cnt.1min",0)<PDS Keep 30 days>
          PDStorage.AddUserData.Number("Request.url.Cnt.Date",DateTime.ToNumber)<PDS Keep 30 days>
          PDStorage.AddUserData.String("Request.url.url",URL)<PDS Keep 30 days>
          CR 1309-8230-0 - 2013 09 17 created eick
          EnabledCount UserRequest 1Minute
          1:    PDStorage.GetUserData.String("Request.url.url")<PDS Keep 30 days> equals URL
          ContinueSet User-Defined.TEMP.cnt =
                PDStorage.GetUserData.Number("Request.url.Cnt.1min")<PDS Keep 30 days> +
                1
          PDStorage.AddUserData.Number("Request.url.Cnt.1min",User-Defined.TEMP.cnt)<PDS Keep 30 days>
          PDStorage.AddUserData.String("Request.url.url",URL)<PDS Keep 30 days>
          CR 1309-8230-0 - 2013 09 17 created eick
          EnabledCreate blocking session if counter eceeds threshold
          1:    User-Defined.TEMP.cnt greater than User-Defined.Request.url.static.MaxCnt
          2:    AND URL.Host is not in list GLB_URL_2Block_by_tomany_requests
          Stop CycleBlockingSession.Activate<Blocking session 15 minutes>CR 1309-8230-0 - 2013 09 17 created eick
          EnabledGo on more restricted counter
          1:    URL.Host is in list GLB_URL_2Block_by_tomany_requests
          2:    AND User-Defined.TEMP.cnt greater than 200
          Stop CycleBlockingSession.Activate<Blocking session 15 minutes>CR 1309-8230-0 - 2013 09 17 created eick