Detections
Analytics
SYMP-NM-000320 - Symantec ProxySG must enable Attack Detection.
Information
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.Symantec ProxySG Attack Detection prevents or limits the effects of denial of service (DoS) and distributed-DoS (DDoS) attacks by limiting the number of simultaneous TCP connections and/or excessive repeated requests from each client IP address that can be established within a specified time frame. Configure attack detection for both clients and servers or server groups. The client attack-detection configuration is used to control the behavior of attacking sources. The server attack-detection configuration is used when an administrator wants to prevent a server from becoming overloaded by limiting the number of outstanding requests that are allowed.
The default settings should work in most environments, but can be fine tuned to prevent impact on the site's traffic flow. Organizations should also take into consideration the capabilities and configuration of adjacent network devices (e.g., firewalls performing packet filtering to block DoS attacks).
The default settings should work in most environments, but can be fine-tuned to prevent impact on the site's traffic flow. Organizations should also take into consideration the capabilities and configuration of adjacent network devices (e.g., firewalls performing packet filtering to block DoS attacks).
Default settings for client DDoS settings on the ProxySG are as follows.
To view Default settings for client DDoS settings on the ProxySG, type the following command at the command line interface. ProxySG#(config attack-detection)show attack-detection client
Client limits enabled: false
Client interval: 20 minutes
Default client limits:
Client concurrent request limit: unlimited
Client connection limit: 100
Client failure limit: 50
Client request limit: unlimited
Client warning limit: 10
Blocked client action: Drop
Client connection unblock time: unlimited
Monitor only mode: disabled
Solution
Enable the Attack Detection function for the default settings or fine tune needed by site environment.1. SSH into the ProxySG console, type 'enable'.
2. Enter the correct password, type 'configure terminal'.
3. Press 'Enter', and then type 'attack-detection'.
4. Type 'client' and press 'Enter', type 'enable-limits' and press 'Enter'.
See 'Chapter 73: Preventing Denial of Service Attacks' in the ProxySG Administration Guide to understand the functionality before proceeding. Fine tune the default client limits if there is an operational impact.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SYM_ProxySG_Y20M04_STIG.zip
Item Details
Audit Name: DISA Symantec ProxySG Benchmark NDM v1r2
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5, CAT|I, CCI|CCI-002385, Rule-ID|SV-104305r2_rule, STIG-ID|SYMP-NM-000320, Vuln-ID|V-94413
Plugin: BlueCoat
Control ID: 6e6471a30a4daaa9c89da5afbeea54da69e3df9c3e90be06dda58bee8f10f9b1