Great article as starting to look at the EXTRA tab.
I think I understand the PSD weight section and it seems to be defaulted to 23, .03, 3 and 1.
Similarly the Limit section is defaulted to 100 connections BUT and here is the point,
The default LIMIT parameter has
the
Limit Rate set to ZERO "0" / per second.
With burst set at 5.
Does this mean in effect that the LIMIT parameter is OFF?
In that every connection is considered a HIT and for example all port scans, all IPs should be added to the address list...........
If, then can I assume if the limit rate is set to one "1" per second, then
The router will consider a hit for a source IP (ie capture the IP to the list) when 100 connections occur at or before 100 seconds is up?
In other words putting a number value in the Limit rate, kinda activates the parameter...............
The obvious follow on question is what does this have to do with the PSD settings? Are they related or integrated?
Doe s limit rate set to 0, also mean No weighting is considered???
Or is Weight completely independent?
In other words, as per the default settings for these rules
is 23, .03,3,1 always in effect (if a single IP scans any combination of ports (TCP used as protocol) more than 8 times per .03 seconds (couldnt tell if it was 3 sec or 3/100 of a second) then the IP is capture (sent to address list).
So depending upon the answers above, what seems to be going on is two different rate traps for scanning IPs.......
I would have to say, that both are time decay related in that LIMIT is a long Time Decay affect and WEIGHT is a very short Time Decay effect.
Perhaps they are simply VOLUME detectors with the LIMIT looking at the long term (Dos DDOS appplication) and the Weight is looking at the short term (application scanning)
A. LIMIT (macro)
The LIMIT trap has user entry parameter of the number of connections from a single IP that is of concern (default is 100, typical rules I have seen use anywhere from 20-40) and to bound the time frame for which this is measured, is a user entered connection per second basis.
For example 100 connections at 1/ps means that at or below 100 seconds, if 100 connections are made from that IP, the trap is matched and address sent to address list for example,
The Weight trap seems similar to me and has 3 variables. A total Number
If one selected 2/ps, then at or below 30 seconds, it 100 connections are made the trap is matched.
Reads User defined number of connections and per second ratio of connections
Calculates Time Period
Looks at the number of connections on a per IP basis during this time period
Compares the number of connections, per IP, to the user defined number of connections value
If applicable the IP is captured.
B.WEIGHT(micro)
The Weight trap seems similar to me and has 3 variables. A total Number of hits is set as a Threshold relative value.
Then a relative value is given to low ports and high ports, and finally a time constraint is added that defines the period of time the relative values are compared (calculated).
In other words (and again this is per single IP), the router is stating if there are a
number of points awarded,
WITHIN ANY contiguous time period as defined by admin, (relative value given to ports compared to threshold value) The Weight trap is triggered and the IP address is captured to the address list..................
Reads user defined time period
Adds up all the ports being scanned by each individual IP (in time period)
Calculates the total value of those hits per IP
Compares to Threshold Value
If applicable, captures IP.
Both rules assume simple setup all ports, TCP
