10. Configuration » General Settings » Anomaly Mitigation

In Configuration » General Settings » Anomaly Mitigation you can configure and fine-tune some advanced features of Wanguard Filter.

All configuration options listed below are relevant only for the selected decoder.

● TCP SYN Proxy – When enabled, Wanguard Filter activates a SYN proxy mechanism included in recent Linux kernels immediately after its initialization. This mechanism shields servers from SYN flood attacks using a SYN proxy implementation to verify the WAN clients before forwarding their connection requests to the protected server. For this option to work, Wanguard Filter must be deployed inline and must receive both incoming and outgoing traffic.

When the filtering server applies a SYN proxy to a TCP connection, it responds to the initial SYN packet with a manufactured SYN/ACK reply waiting for the ACK in response before forwarding the connection request to the server. Devices attacking with SYN flood packets do not respond to the SYN/ACK reply. The firewall identifies them by their lack of this type of response and blocks their spoofed connection attempts. SYN proxy forces the firewall to manufacture a SYN/ACK response without knowing how the server will respond to the TCP options normally provided on SYN/ACK packets.

Some of the commands necessary to enable the SYN Proxy feature are listed below. This documentation does not cover all the necessary configuration steps for enabling SYN proxy.

[root@localhost ~]# echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize
[root@localhost ~]# /sbin/sysctl -w net/netfilter/nf_conntrack_max=2000000
[root@localhost ~]# /sbin/sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
[root@localhost ~]# /sbin/sysctl -w net/ipv4/tcp_timestamps=1

● Invalid TCP Flags – When enabled, Wanguard Filter blocks all invalid TCP flags immediately after its activation. The necessary filtering rules for this option are applied by the Netfilter firewall for traffic forwarded to/from the attacked destination

● Invalid DNS Packets – When enabled, Wanguard Filter blocks all invalid DNS traffic (illegal combination of source port and destination port) immediately after its activation. The necessary filtering rules for this option are applied by the Netfilter firewall for traffic forwarded to/from the attacked destination

● Private/Reserved IPs – When enabled, Wanguard Filter blocks immediately after its activation all private or reserved IPv4 or IPv6 subnets. The necessary filtering rules for this option are applied by the Netfilter firewall for traffic forwarded to/from the attacked destination

● IP Blacklist/Reputation – When enabled, Wanguard Filter blocks all blacklisted IPs immediately after its activation. The necessary filtering rules for this option are applied by the Netfilter firewall for traffic forwarded to/from the attacked destination.

The [IP Blacklist Options] button allows you to use predefined or to define your own sources that list IPs with a bad reputation. This option should be utilized only for a relatively small number of blacklisted IPs, as it may affect the firewall performance and the routing/forwarding process. The maximum number of blacklisted IPs is 65535

● Packet Rate-limiting – You can use this parameter to limit the rate of packets/time unit to a predefined value, or to a percentage of the anomaly threshold when the value entered ends with the character “%”

● Packet Rate-limit Hash – You can apply the packet rate-limiting globally, to a single object (Src. IP, Src. Port, Dst. IP or Dst. Port) or any combination of objects. If the rate-limiting should be connection-oriented, select all objects. To rate-limit the packet rate of each source IP, select the Src. IP object

● Byte Rate-limiting – You can use this parameter to limit the rate of bytes/time unit to a predefined value, or to a percentage of the anomaly threshold when the value ends with the character “%”

● Byte Rate-limit Hash – You can apply the byte rate-limiting globally, to a single object (Src. IP, Src. Port, Dst. IP or Dst. Port) or any combination of objects. If the rate-limiting should be connection-oriented, select all objects. To rate-limit the byte rate of each source IP, select the Src. IP object

The grid Filtering Rules Settings lets you view and edit the policy for each filtering rule type:

● Enabled – Check to allow Wanguard Filter to detect the selected filtering rule

● Filtering Rule – Describes the filtering rule

● Priority – By double-clicking the cell, you can change the order in which filtering rules are applied. The default settings prioritize filtering rules that match the most specific malicious traffic: source IP, source TCP port, source UDP port. You can disable filtering rules such as destination IP/port to prevent service interruption at the risk of allowing the malicious traffic to pass through when it uses randomized packets

● Severity – By double-clicking the cell you can change the minimum severity of the filtering rule. A value of 1 enables the filtering rule when the matched traffic is above the anomaly threshold. To enable the filtering rule only when the matched traffic is double the rate of the anomaly threshold, set it to 2. To enable the filtering rule when the anomaly threshold is matched by half of traffic, set it to 0.5

● Timeout – When set to 0, the filtering rule remains active for as long as the anomaly is active. Enter a nonzero value for the filtering rule to expire only after the entered amount of seconds

● OSI Layer – Shows the OSI layer where the filtering rule detection is performed; for informational purposes only

● Compatibility – Displays whether the filtering rule can be detected and applied by Packet Filter, Flow Filter, BGP Flowspec or Dataplane Firewall.