Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » DDOS Attack & Dos Protection.
  •  
wcws

Messages: 6
Karma: 0
Send a private message to this user
Does Kerio Control support DOS & DDOS Attack.
  •  
wcws

Messages: 6
Karma: 0
Send a private message to this user
  •  
sorat

Messages: 54
Karma: 2
Send a private message to this user
Define, what is an attack?
Like, in a scenario when say, 1 million PCs request pages from kerio at same time, and you want kerio to do something about it?
  •  
wcws

Messages: 6
Karma: 0
Send a private message to this user
yes - like

TCP SYN+ACK
TCP FIN
TCP RESET
TCP ACK
TCP ACK+PSH
TCP Fragment
UDP
Slowloris
Spoofing
ICMP
IGMP
HTTP Flood
Brute Force
Connection Flood
DNS Flood
NXDomain
Mixed SYN + UDP or ICMP + UDP Flood
Ping of Death
Smurf;
Reflected ICMP & UDP
As well as other attacks
  •  
sorat

Messages: 54
Karma: 2
Send a private message to this user
Too broad request, some of items in this list kerio deals with, yes.
At our installation, for example, before kerio we use additional machine that checks and limits speed of creating new connections per second of every IP.

If you are trying to build an installation resistent to various attaks, you will need more than only kerio alone.
  •  
wcws

Messages: 6
Karma: 0
Send a private message to this user
Do you know which one specific it offers - Right now I am using Fortigate Firewall so I just wanted to know if its better than what I currently I know Fortigate offers all that.
  •  
mojo-jojo

Messages: 16
Karma: 1
Send a private message to this user
sorat wrote on Tue, 21 October 2014 10:41
Define, what is an attack?
Like, in a scenario when say, 1 million PCs request pages from kerio at same time, and you want kerio to do something about it?

Let's say, Kerio Control don't have any DDoS protection vs normal syn-flood. I'm talking about free DDoS, which you can find on the Internet. I tried - my server will be is unavailable not only during that attack but even after that, but for a some period of time.

As far as I know, with pure Linux (or if we tune it via SSH) situation can be improved, but Kerio doesn't consider it necessary Confused I DON'T know Linux, that's why I'm using Kerio!

I am upset.
  •  
Carsten Maas (Kerio)

Messages: 247
Karma: 27
Send a private message to this user
You can configure connection limits, which should protect you:
http:// kb.kerio.com/product/kerio-control/security/configuring-conn ection-limits-1756.html

Carsten Maas
Senior Technical Marketing Engineer
Kerio Technologies

Kerio Deutschland youtube Channel
http://www.youtube.com/KerioDeutschland
  •  
mojo-jojo

Messages: 16
Karma: 1
Send a private message to this user
Unfortunately, this syn-flood was with IP-spoofing. If we set any maximum concurrent connections - our server will be unavailable during the entire period of the attack, and for some time after (30 or more minutes). I'm sure Kerio knows why.

Funny thing, you can do it any time and for free - http://quezstresser.com/

Enter your server IP, select port, SSYN and the server under Kerio Control will die for new inbound connections Crying or Very Sad

I read about it, the only way is SYN cookies. It is unlikely that Linux used by Control, has this function enabled. This is not good.

Please activate this feature in new versions! Or add this setting in the web-interface!

[Updated on: Sat, 18 June 2016 08:22]

  •  
wcws

Messages: 6
Karma: 0
Send a private message to this user
Kerio is for just in house small business firewall - you need more high end enterprise level
  •  
mojo-jojo

Messages: 16
Karma: 1
Send a private message to this user
Kerio Control it's NOT "in house small business firewall". It's "for small to medium organizations" (wiki).

But anyway, this DDoS protection can be done with Debian, which used in Control. You don't need for this "more high end enterprise level" (what is meant by this?). Kerio can do this and I still don't understand why they have not implemented it. Maybe because 99% of Kerio users thinks that "Kerio is for just in house small business firewall" (like a small router + antivirus), which is not. Even bare Linux on a powerfull PC can be a very powerful solution not for "in house small business firewall". You don't need for this Cisco, ZyWall from ZyXEL or Mikrotik.

[Updated on: Sun, 19 June 2016 11:01]

  •  
mojo-jojo

Messages: 16
Karma: 1
Send a private message to this user
We can reduce DefaultTcpTimeout in the config file and fake connections will be closed after that time.

But after 1-2 minuts of continuous syn-flood attack, Kerio will catch System Fault and will be restarted.

Debug log have something about syn flood. I am not sure that it was in earlier versions.

RAM used 75% from 4 Gb with IPS and without it a little more than 50%, so we have some space.

Sites used (both at the same time):
http://beststresser.com/
http://quezstresser.com/

And It's only school type of DoS attack...

[Updated on: Thu, 27 October 2016 08:54]

  •  
Brian Carmichael (Kerio)

Messages: 559
Karma: 55
Send a private message to this user
There is protection against most types of attacks. Many of them are part of the ICSA certification. Regarding the online tool, we tested it against the current version 9.1.4 and did not experience a denial of service. Which version of Kerio Control are you testing against?

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
mojo-jojo

Messages: 16
Karma: 1
Send a private message to this user
Thank you for the answer.

I was a little lazy. It was on 9.1.3. After 9.1.4 update, the problem went away. Now, under syn-flood at opened 80 TCP port, only 1.28 GB of RAM used with 5000 concurrent connections (with IPS).

But anyway we have to set lower DefaultTcpTimeout in winroute.cfg file, not 40 minutes, or our server will be unavailable for the new inbound connections during 40 minutes after the end of the attack. The problem is - if we set 10 minutes or even lower, we might have a problems with some services. But it depends on the specific service.

So that system fault was because of 9.1.3... Rolling Eyes

Thank you Smile

[Updated on: Fri, 28 October 2016 05:04]

Previous Topic: IPsec VPN Server disabled
Next Topic: https over port 80
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Dec 08 08:47:59 CET 2016

Total time taken to generate the page: 0.01275 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.