/
Overview of Packet Flow
Document toolboxDocument toolbox

Overview of Packet Flow

Owned by Ashish Khabde
May 15, 2019

Threat protection rules are designed to work together to provide maximum protection for your environment. This section describes how these rules are being applied and how you can tune some of them to suit your system setup and network environment.

Threat protection rules are grouped by rule categories, and most of them have one or more associated rule parameters. Depending on the rules, you may or may not be able to override default values for the following rule parameters (when applicable):

  • Packets per second: This parameter defines the rate limit or the number of packets per second that the appliance processes before it performs a triggered action, such as sending warnings or blocking traffic.
  • Drop interval: This is the time period (in seconds) for which the appliance blocks traffic from the client or traffic that matches a certain pattern beyond the rate limit. Based on how you want to handle the traffic that exceeds  the rate limit, you can configure this interval to work with the Rate Algorithm parameter.

  • Rate algorithm: This parameter defines how the appliance handles incoming traffic when the traffic exceeds the rate limit (defined in Packets per second). You can set this to “blocking” or “rate limiting.” The default is “rate limiting.” When you set this to “blocking,” the appliance allows client traffic to go through until it hits the rate limit. It then blocks all traffic for the duration of the drop interval. If client traffic continuously exceeds the rate limit, the appliance continues to block all traffic for subsequent drop intervals without letting through any traffic, which could result in an indefinite traffic blockage. When you set this to “rate limiting,” the appliance allows client traffic to go through until traffic hits the rate limit. It then blocks all traffic for the rest of the drop interval. The appliance re-evaluates client traffic at the beginning of each drop interval and repeats the same behavior for subsequent intervals.
    To avoid resource exhaustion and limit frauds, you can limit the query rate for each source IP, and then set Drop interval to one second and Rate algorithm to “rate limiting,” which results in a rate-limiting behavior that allows some traffic to go through before the rest of the traffic is blocked. In this case, the appliance re-evaluates the client behavior every second. If the client traffic exceeds the rate limit, the appliance processes only queries up to the rate limit and drops all excessive queries for the remainder of the second.
    For more information about how to configure Rate algorithm, Packets per second and Drop interval, see Configuration Examples.

    Note

    Starting with NIOS 6.12.4, the default for Rate algorithm has been changed from “blocking” to “rate limiting.

  • Events per second: The number of events logged per second for the rule. Setting a value to 0 (zero) disables the appliance from logging events for the rule. Most rules have this parameter, and the default value is 1.
  • Packet size: DNS packet size. If the DNS packet size exceeds a certain value, the corresponding rule will be triggered.