BLOCKIP is a new service that can be used to manually or automatically block ip-addrs. This can be useful for systems that are open to the entire worldwide Internet. It is recommended that when placing a VSE system on the open Internet the FIREWALL feature and BLOCKIP service be used. The BLOCKIP service is intergrated with the FIREWALL feature. Therefore the FIREWALL feature must be active to utilize the BLOCKIP service.
The BLOCKIP service will also automatically block ip-addrs that are causing Denial of Servie(DoS) SYN flood attacks. This type of DoS can cause slow network performance and availability of a server application.
https://en.wikipedia.org/wiki/Denial-of-service_attack
contains additional information on DoS attacks. One type of DoS is a SYN flood attack. A SYN flood attack occurs when a remote client attempts to connect to a TCP server sending the initial SYN packet. The server application on VSE then responds with a SYN-ACK to acknowledge the SYN request which also establishes the starting TCP sequence numbers that will be used. The remote normally acknowledges this SYN-ACK completing the standard TCP handshake that establishes a TCP connection.
https://en.wikipedia.org/wiki/Transmission_Control_Protocol
for additional information on the TCP protocol and connection establishment. During a SYN flood attack the remote client does not ACK the SYN-ACK. These half-open connections exhaust the available connections the sever can handle, and keep it from responding to legitimate requests until after the attack ends.
The BLOCKIP command is used to activate, control, and monitor the BLOCKIP service to defend against this type of DoS attack. The format is this new command is:
BLOCKIP @1 @2
@1 is the action to be performed and can be either ON, OFF, CLEAR, LOAD, SAVE, REPORT, or DUMP.
@2 is the keyword IPADDR=ip-addr, or LSMT=lib.sublib.member.type.
The keyword IPADDR= is only valid with the ON or OFF action(@1).
The keyword LSMT= is only valid with the LOAD or SAVE action(@1). LSMT stands for Library, Sublibrary, Member-Name, and Member-Type.
By default BLOCKIP is OFF.
To activate the BLOCKIP service issue a:
BLOCKIP ON
with no other operands.
IPI501R BLOCKIP is ON table length:@1 table address:@2
is issued after successfully activating the BLOCKIP service.
@1 is the length of the block table.
@2 is the address of the block table.
You can then manually block all traffic with a specific ip-addr by issuing:
BLOCKIP ON IPADDR=ip-addr
IPI503R BLOCKIP ON for @1 SLOT=@2
is issued after it is successfully added to the blocked table.
IPI524R BLOCKIP @1 is already in the block table at @2
is issued when the ip-addr is already in the blocked table.
@1 is ip-addr being blocked.
@2 is the address in the block table for this ip-addr.
Once the BLOCKIP service is active and a possible SYN flood attack is detected a:
IPI235S Possible SYN flood attack(@1) from @2 to local port @3
is issued.
@1 is the number of times this condition has been detected.
@2 is the remote ip-addr that is suspected of causing the problem.
@3 is the local port number being attacked.
The IPI235S is from the TCP connection manager and indicates a server in a listen state is actively waiting for a ACK to its SYN-ACK. Unless multiple instances of a server are active on the local port new client connections to this server application may be rejected. The PORTQUEUE command can also be used to avoid rejections. For example, multiple instances of a server causing multiple listens on a single local port can be created issuing multiple DEFINE FTPDs or DEFINE TELNETDs. Q CONN,STATE-LISTEN can be used to display all servers currently in a listen state and the local port being used.
IPT310S No ACK to SYN-ACK too many times(@1) @2 @3 @4
@1 is the number of times this condition has been detected from this ip-addr.
@2 is the local port being being attacked.
@3 is the remote ip-addr the attack came from.
@4 is the foreign port number the attack came from.
Immediately after the IPT310S a:
IPT311S IVLIFABK=@1 CCNOAKSY=@2 for @3
is issued when the @2 exceeds the FIREWALL NOACKSYN COUNT=nn.
@1 is the FIREWALL NOACKSYN COUNT=nn number.
@2 is the number of times this has occurred during this connection.
@3 is the remote ip-addr of the connection.
IPI107S All traffic with @1 will be prevented
@1 is the remote ip-addr of being prevented.
This is functionally the same as if a:
ACCESS PREVENT IPADDR=ip-addr had been issued.
The ACCESS PREVENT command uses the statistics control block(ISBLOK) which is about 512 bytes in size, and can cause excessive storage usage when a large number of ip-addrs are prevented. BLOCKIP uses a table of 4 bytes for each blocked ip-addr.
The garbage collector by default wakes up every 15 seconds and checks for prevented ip-addrs. If a prevented ip-addr is detected a:
IPI518W Watchdog is watching @1 grrrowl ISNOSYAK=@2
is initially issued warning by the garbage collector.
@1 is the remote ip-addr suspected of causing the attack.
@2 is the number of times this has occurred for this ip-addr.
If this condition is detected three or more times a:
IPI519M @1 placed in BLOCKIP table, @2. removed from ISBLOK chain
is issued and the ip-addr is moved into the table of blocked ip-addrs. The associated ISBLOK is then deleted.
@1 is a ip-addr.
@2 is the address of the ISBLOK deleted.
The ISBLOK storage is also released.
BLOCKIP OFF
will turn off the blocking of ip-addrs in the blocked table. The table of blocked ip-addrs is still there, but it will not be used to block ip-addrs. In fact even after BLOCKIP OFF is issued the BLOCKIP REPORT can be used to display ip-addrs that are in the table. Specific ip-addrs can also be removed with the BLOCK OFF IPADDR= command even when it is off. This does not affect ip-addrs currently flagged as prevented. The ACCESS CLEAR or ACCESS ALLOW can be used to remove ip-addrs that are in the prevent state. ACCESS QUERY can be used to display all ip-addrs in the prevent state.
IPI510R BLOCKIP turned off
is issued when BLOCKIP is turned off.
BLOCKIP CLEAR
is the same as BLOCKIP OFF but in addtion the current table of blocked ip-addrs is cleared to binary zeros and the blocked counter is reset to zero.
IPI511R BLOCKIP turned OFF table cleared counter reset
is issued when BLOCKIP is cleared.
BLOCKIP OFF IPADDR=ip-addr
can be used to remove an ip-addr from the table of blocked ip-addrs.
IPI509R BLOCKIP OFF for @1 unblocked slot:@2
message will be issued after the ip-addr is removed from the BLOCKIP table.
BLOCKIP SAVE LSMT=lib.sublib.member.type can be used to save the current table of blocked ip-addrs into a librarian member.
IPI525R SAVE @1. is not a valid lib.sublib.memname.memtytpe
is issued when the LSMT= is not a valid lib.sublib.memname.memtype.
IPI526R @1. Lib:@2. Sublib:@3. Member:@4. Memtype:@5. IPs=@6.
is issued when the LSMT= is valid.
If BLOCKIP SAVE is issued without the LSMT= keyword a:
IPI528R LSMT= @1. was last valid used...
will be issued. @1 will either be NONE or the lib.sulib.member.type of the last issued BLOCKIP SAVE with the LSMT= keyword. In case you forgot the prior value used for LSMT=.
BLOCKIP LOAD LSMT=lib.sublib.member.type can be used to load a previously saved table of blocked ip-addrs.
Note that once a BLOCKIP LOAD or SAVE has been successfully issued then during shutdown it will automatically be saved into the same name as the last BLOCKIP LOAD or SAVE command that was issued. The idea here is to build and update a table of blocked ip-addrs that can then be loaded during startup.
IPI527R @1 IP-Addrs loaded into BLOCKIP TABLE from @2..@3.
is issued after successfully loading a table of blocked ip-addrs.
If BLOCKIP LOAD is issued without the LSMT= keyword a:
IPI528R LSMT= @1. was last valid used...
will be issued. @1 will either be NONE or the lib.sulib.member.type of the last issued BLOCKIP LOAD with the LSMT= keyword. In case you forgot the prior value used for LSMT=.
BLOCKIP ON
BLOCKIP LOAD LSMT=lib.sublib.memname.memtype
can then be placed into the stack initialization to block ip-addrs without the overhead of detecting SYN flood attacks.
BLOCKIP DUMP can be used to dump the current contents of the block table.
BLOCKIP REPORT
can be used to create a report of all currently blocked ip-addrs. First a:
IPI512R @1 IVBLKTAL=@2 IVBLKTAB=@3 IVBLKTCN=@4 IVBLKCNT=@5
is issued.
@1 is either ON or OFF to indicate the current state of BLOCKIP.
@2 is the length of the blocked table.
@3 is the address of the blocked table.
@4 is the number of ip-addrs in the blocked table.
@5 is the number of times a datagram was blocked because it matched a ip-addr in the blocked table.
Next a:
IPI521R @BLOCKIP @1.
is issued for each ip-addr in the table.
@1 is the ip-addr that is in the table.
This report of blocked ip-addrs could also then be passed onto your Internet Service Provider(ISP) to add to a router before the ip-addr is passed to the VSE system.
IPI520M BLOCKIP size increased IVBLKTAL=@1 IVBLKTAB=@2
is issued when attempting to add a new ip-addr to the table but the table is full. The full table is copied into a new larger table. The initial size of the table is 4096, and can hold up to 1024 ip-addrs. When full the new size is increased by 4096.
@1 is the new larger increased table size.
@2 is the new table address.
IPI522E @@1. failed rs:@2. rc:@3. offset:@4.
is issued when a BLOCKIP command fails.
IPI523E @ISBLOK:@1. PRIOR:@2. ISNEXT:@3. ISNEXTSV:@4. IP:@5. @6.
is issued when the garbage collector detects a problem in the ISBLOK chain. Report thie error to CSI technical support.
The stack must be recycled to pick up this zap.
|