Symantec Access Management

 View Only
  • 1.  Preventing DOS

    Posted Sep 22, 2015 06:26 PM

    Hi,

     

    I was wondering if there is a way to prevent DOS from one rouge client IP.

     

    For example, if I set up a script to keep entering wrong credentials into a SM protected application for say 200-300 times within a minute or two.

     

    Is there any way to detect this at the webagent layer and stop it?

     

    Or will it have to be done at the network layer?

     

    Regards,

    Anand.



  • 2.  Re: Preventing DOS
    Best Answer

    Posted Sep 22, 2015 11:12 PM

    Hi Anand,

     

    I believe you are referring to (DDoS)

    Denial-of-service attack - Wikipedia, the free encyclopedia

     

    If that the case, Siteminder has no way to prevent it from happen. SM cannot stop end users from submitting credentials. This need to be control via the network latyer (ie: firewall, switches) to act as the first guard to prevent the request hit the server.

     

    Hope this helps.

    Kar Meng



  • 3.  Re: Preventing DOS

    Posted Sep 22, 2015 11:46 PM

    Thanks Karmeng

     

    That's what I thought. I was wondering if we can do some flimsy line of defense in the FCC.

     

    like have javascript to count the number of retries and stop the form from being submitted if it exceeds a number.


    Granted client side javascript can always be circumvented, but could it help in some basic cases?



  • 4.  Re: Preventing DOS

    Posted Sep 23, 2015 01:12 AM

    Hi Anand,

    I'm not sure what kind of javascript you can put in login.fcc file to control.

     

    However, you can make use of the existing .loginfcc @smretries. This parameter specify how many times user can try to submit the credentials.

    For example, if you specify

     

    @smretries=2

     

    This means end user can retry two times for the credentials submit. Once it exceed, it will show message as per in login.unauth

    ###

    Your credentials are not valid for <Target resource>

    Please contact your Security Administrator or Help Desk.

    ###

     

    Does it serve your objective?

     

    Regards,

    Kar Meng



  • 5.  Re: Preventing DOS

    Posted Sep 24, 2015 10:57 PM

    Hi Anand,

     

    If the web server is IIS, check following if the IIS module helps to achieve your request.

     

    IIS 8.0 Dynamic IP Address Restrictions : The Official Microsoft IIS Site

     

    For Apche, you can check this module.

    http://www.zdziarski.com/blog/?page_id=442

    mod_evasive on Apache - Linode Guides & Tutorials

     

    I think the web server should take a leading role to prevent the DDoS but not web agent.

     

    Hope this helps.

    Kar Meng