Results 1 to 9 of 9
  1. #1
    Master Untangler k6rtm's Avatar
    Join Date
    Feb 2010
    Location
    Silicon Valley
    Posts
    110

    Default Sensitivity knob for the attack blocker?

    I wish I had (*) a sensitivity knob for the attack blocker.

    Normally it would be set at 1, for normal operation.

    But I could turn it up (in increments TBD) to 2, doubling its sensitivity globally.

    I could also turn it down, to something like 0.1, lowering its sensitivity for the whole box.

    I could turn the knob to a new setting, and then watch the log page to see how that new setting shows up in the logs, and also monitor (and talk to) my problem children on the network to see if the new setting helps.

    If twiddling the knob helps, then I could go in and add/change exceptions for specific users/classes to match, but the knob gives me a quick way of changing behaviour over the whole box and observing the results.

    As a possible implementation, the knob sets the value of a multiplier applied to each user. Effective range TBD, but I suspect 0.1 to 2 in steps of 0.1 would probably be a good first cut.

    (The "I wish I had..." and "I wish I had a button/knob that..." was a brainstorming approach we used in a research lab I was in for a number of years. That approach helped us come up with a number of interesting/wild/useful things)

    --bob in sunny silicon valley

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    You do have this, they are called exemptions. Changing the things sensitivity doesn't help. The primary function of that module is to force all network communications to live within the 10k concurrent session limit.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    I like this idea, however it would have to be hidden. Otherwise people would say "Oh its blocking XYZ" and just turn it all the way down which is the same as turning it off.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Master Untangler k6rtm's Avatar
    Join Date
    Feb 2010
    Location
    Silicon Valley
    Posts
    110

    Default

    Quote Originally Posted by sky-knight View Post
    You do have this, they are called exemptions. Changing the things sensitivity doesn't help. The primary function of that module is to force all network communications to live within the 10k concurrent session limit.
    It's different from exemptions in that it's a global knob. Exemptions are on a per-device basis; the knob gives you a way to diddle with things as a whole, all at once.

    Quote Originally Posted by dmorris View Post
    I like this idea, however it would have to be hidden. Otherwise people would say "Oh its blocking XYZ" and just turn it all the way down which is the same as turning it off.
    And I gave a lower limit of something such as 0.1, which desensitizes it by a factor of 10. I would not allow a lower limit of 0.0, effectively turning it off. If you want to turn it off, you do that with a different control, by "turning off' the attack blocker.

    And it should be temporary, and hidden is good, too. One way to do the temporary nature of it is to only have it effective while the attack blocker pages (settings, exemption list, logs) are active. Navigating away from the attack blocker (for example, to Protocols) puts the knob back to 1 (and optionally hides it again).

    Hidden could be through an "advanced" button making the knob visible, as is done currently with some of the network stuff.

    --bob in sunny silicon valley
    Last edited by k6rtm; 03-25-2010 at 12:37 PM.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    Perhaps just a way to insert an "advanced" rule that allows you to make a 5 user exemption for everyone by default?

    I still don't see the purpose, playing with that fundamental multiplier globally can reduce the functionality of the module to useless very very quickly. It's normal for that module to throttle traffic on a busy network. Your internet connection is much slower than the lan anyway so you shouldn't be feeling it on anything. If you are feeling a slow down due to attack blocker's functionality you have something actually broken that needs fixed.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Master Untangler k6rtm's Avatar
    Join Date
    Feb 2010
    Location
    Silicon Valley
    Posts
    110

    Default What's a "session?"

    Quote Originally Posted by sky-knight View Post
    Perhaps just a way to insert an "advanced" rule that allows you to make a 5 user exemption for everyone by default?

    I still don't see the purpose, playing with that fundamental multiplier globally can reduce the functionality of the module to useless very very quickly. It's normal for that module to throttle traffic on a busy network. Your internet connection is much slower than the lan anyway so you shouldn't be feeling it on anything. If you are feeling a slow down due to attack blocker's functionality you have something actually broken that needs fixed.
    Rob--

    You're right in that what I'm proposing is a fairly powerful adjustment, one that can cause problems. That's also one of the reasons it should be temporary. I'd like to be able to try different things (easily, without editing a bunch of rules), observe results, try something a little different, observe results, and from those experiments derive a set of exceptions to put into place, then let those sit and run for a while, collecting more data.

    It would also let me do experiments (for example by turning the knob up past 1) to find out when different users start feeling pain, without digging into each and every one of the protocols used on the apps they are running. (And learn how to distribute the pain better.)

    I'll also admit that, as I posted in another thread, I'm still learning to grok the mysterious ways of the Net Alpacas. They are powerful beasts, and insist on doing things their way. The better I understand what their ways are, the better we will get along.

    Take that "session limit" as an example. Okay, I can understand architecturally that there is a hard limit, and the Alpacas have to do things when they get close to or hit that limit. But I'm not sure what counts as to that limit -- does UDP traffic count? How? From an operational standpoint, the SNMP traffic on port 162 (UDP) is very important to me -- I don't want any of it dropped as it goes through UT. How does UDP traffic enter into session counts to the hard limit? Do rules having this traffic bypass the rack help?

    --bob in sunny silicon valley
    Last edited by k6rtm; 03-25-2010 at 08:56 PM. Reason: Eek! I used "SMTP" where I should have said "SNMP"

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    UDP is connection less, and doesn't really have a "session". But, also by it's nature it's "unimportant" mission critical services don't use it.

    Also, SMTP generally uses TCP as its carrier. I haven't seen any SMTP implementations use UDP as the carrying protocol. So that example specifically confuses me. I'm not saying it isn't real, it is quite possible but it isn't normal.

    However, because the virtual rack imposes its own brand of limitations, it's best to simply bypass it if you know you can trust the traffic. Why subject known good things to filtration?

    And yes, if you take the time to study your network and make informed decisions about what traffic should be filtered, what traffic shouldn't be filtered, and then make the appropriate bypass rules to remove appropriate traffic...

    Well to say the process is worth the time is a very weak understatement. You've just stumbled into the way you can get this product to protect 5000 computers with a single server.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Master Untangler k6rtm's Avatar
    Join Date
    Feb 2010
    Location
    Silicon Valley
    Posts
    110

    Default

    Quote Originally Posted by sky-knight View Post
    UDP is connection less, and doesn't really have a "session". But, also by it's nature it's "unimportant" mission critical services don't use it.

    Also, SMTP generally uses TCP as its carrier. I haven't seen any SMTP implementations use UDP as the carrying protocol. So that example specifically confuses me. I'm not saying it isn't real, it is quite possible but it isn't normal.

    However, because the virtual rack imposes its own brand of limitations, it's best to simply bypass it if you know you can trust the traffic. Why subject known good things to filtration?

    And yes, if you take the time to study your network and make informed decisions about what traffic should be filtered, what traffic shouldn't be filtered, and then make the appropriate bypass rules to remove appropriate traffic...

    Well to say the process is worth the time is a very weak understatement. You've just stumbled into the way you can get this product to protect 5000 computers with a single server.
    Rob--

    I screwed up earlier when I said SMTP -- I meant SNMP (big difference!). For a lot of the monitoring I do, the SNMP packets the router spits out are very important.

    Low priority to some, but for monitoring, I'd rather they didn't get dropped!

    I'm using policy rules to bypass the rack for these things as I find them.

    Understanding how the Net Alpacas work also helps!

    --bob is tired in silicon valley
    Last edited by k6rtm; 03-25-2010 at 08:58 PM.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    Yeah that makes more sense. SNMP is one of those things that probably should have a default bypass rule in place. There is simply no need for the traffic to pass. That said, you don't want it passing the edge of the network either in most cases, so I guess it comes down to education.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2