Connection Limiting (v2) feature using Access Rules in SonicOS Enhanced

03/26/2020 13 14023

DESCRIPTION:

The Connection Limiting feature is intended to offer an additional layer of security and control when coupled with such SonicOS features as SYN Cookies and Intrusion Prevention Services (IPS). Connection limiting provides a means of throttling connections through the SonicWall. Until now Connection Limiting provided global control of the number of connections for each IP address and was configured in the Access Rules by declaring the maximum percentage of the total available connection cache that can be allocated to that class of traffic.

RESOLUTION:

Connection Limiting, version 2 is a major enhancement and is designed to granulate this kind of control so that the SonicWall administrator can configure connection limitation more flexibly. Connection Limiting v2 uses Firewall Access Rules to allow the administrator to choose which IP address, which Service, and which traffic direction when configuring connection limiting.

Conection Limiting is configured under Firewall | Access Rules. Select the desired direction of traffic (LAN to WAN, DMZ to LAN, WAN to LAN etc ). To enforce connection limit either edit an existing rule or create a new rule and click on the Advanced tab.

For eg. if the rule is from LAN to WAN, the option Enable connection limit for each Source IP Address would mean the source IP address of hosts on the LAN. Threshold is the maximum number of connections permissible by each host on the LAN.

Likewise, Enable connection limit for each Destination IP Address would mean the destination IP addresses of hosts on the WAN side of the SonicWall. Threshold is the maximum number of connections permissible to that destination IP address.

The option Number of connections allowed (% of maximum connections) is the % of the maximum number of connection applicable to that device.

The following table delineates the connection-cache size of currently available SonicWall devices running SonicOS Enhanced with Unified Threat Management (UTM) security services enabled or disabled (numbers are subject to change):

Background:

Coupled with IPS, Connection Limiting can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second. Typical, non-malicious network traffic generally does not establish anywhere near these numbers, particularly when it is Trusted |Untrusted traffic (i.e. LAN-|WAN). Malicious activity of this sort can consume all available connection-cache resources in a matter of seconds, particularly on smaller appliances.

In addition to mitigating the propagation of worms and viruses, Connection limiting can be used to alleviate other types of connection-cache resource consumption issues, such as those posed by uncompromised internal hosts running peer-to-peer software (assuming IPS is configured to allow these services), or internal or external hosts using packet generators or scanning tools.

Finally, connection limiting can be used to protect publicly available servers (e.g. Web servers) by limiting the number of legitimate inbound connections permitted to the server (i.e. to protect the server against the Slashdot-effect). This is different from SYN flood protection which attempts to detect and prevent partially-open or spoofed TCP connection. This will be most applicable for Untrusted traffic, but it can be applied to any zone traffic as needed.