Traffic Regulation policy examples

The goal of Traffic Regulation (TR) policy is to protect your system from usage spikes. A phased approach to determine the correct policy for your system is recommended.

To gather baseline statistics, you should first run in normal statistics mode, with the traffic regulation management daemon (TRMD) running. In normal statistics mode, the following information is provided for the port on a policy defined interval:

Total number of connections requested during the interval
Total number of connections closed during the interval
The IP address of the host that requested a connection during the interval and held the highest number of concurrent connections during the interval, and the highest number of concurrent connections held by this IP address
A suggested value for TotalConnections based on this interval
A suggested value for Percentage based on this interval

While the baseline statistics records provide suggested policy values for the interval, you should evaluate data from multiple intervals. The values suggested are those that would avoid denying any of the connections in the interval. Choose lower values if the interval represents a workload larger than you want to allow.

After you determine the policy values to use, try running with the Log and Nolimit actions specified. Specifying the Nolimit action basically tests out the policy. The connections that would have been denied (if the Limit action was specified) are logged, but the connection is allowed to occur. After you are satisfied with the experimental policy, the policy action can be set to Limit.

The following traffic regulation TCP rules are defined:

TRTcp-rule: Defines TCP baseline statistics gathering for the low port range.
This temporary rule provides statistical reports to determine normal traffic patterns for several applications. After the baseline values are determined, this rule should be replaced by rules that include the specific conditions to be regulated.
TRTcpWeb-rule: Defines application limits and host percentage limits for a single application.
- This rule enforces set limits.
- The rule has a higher priority than the TR TCP rule.
- The rule is limited to a single server application that is bound to a specific IP address.

The following example is an IDS configuration file:

########################################################################
########################################################################
# TR Policies
########################################################################

#-----------------------------------------------------------------------
# TR - IDSRule
#-----------------------------------------------------------------------
IDSRule                    TRTcpWeb-rule
{
  ConditionType            TR
  Priority                  7
  IDSTRConditionRef        TRTcpWebCondition
  IDSActionRef             TRTcpLimit-action
}
IDSRule                    TRTcp-rule
{
  ConditionType            TR
  Priority                 2
  IDSTRConditionRef        TRTcpCondition
  IDSActionRef             TRTcpLog-action
  IpTimeConditionRef       Time1
}

#-----------------------------------------------------------------------
# TR - IDSTRCondition
#-----------------------------------------------------------------------
IDSTRCondition             TRTcpWebCondition
{
  Protocol                 Tcp
  LocalPortRange           80
  LocalHostAddr            10.14.243.87
  TRtcpTotalConnections    1000
  TRtcpPercentage          10
  TRtcpLimitScope          PORT_INSTANCE
}
IDSTRCondition             TRTcpCondition
{
  Protocol                 Tcp
  LocalPortRange           1:1023
}

#-----------------------------------------------------------------------
# TR - IDSAction
#-----------------------------------------------------------------------
IDSAction                  TRTcpLimit-action
{
   ActionType              TR LIMIT
   IDSReportSet            TRTcpLimitReportSet
   {
      TypeActions          Log
      TypeActions          Statistics
      StatType             Exception
   }
}
IDSAction                  TRTcpLog-action
{
   ActionType              TR NOLIMIT
   IDSReportSetRef         LogStatReportSet
}

#-----------------------------------------------------------------------
# IDSReportSet
#-----------------------------------------------------------------------
IDSReportSet               LogStatReportSet 
{                                           
   TypeActions             Log              
   TypeActions             Statistics       
}

#-----------------------------------------------------------------------
# IPTimeCondition                                                       
#-----------------------------------------------------------------------
IpTimeCondition            Time1                                        
{                                                                       
  TimeOfDayRange           1-22                                         
  DayOfWeekMask            0111110                                     
}

If you are using LDAP to define policy, see IDS TCP traffic regulation policy example.

Restriction: LDAP policy cannot be used to define TCP traffic regulation policy that specifies IPv6 addresses.

The following traffic regulation UDP rule is defined:

TR UDP: Defines UDP queue size for the low port range.
- This rule provides statistics reports to determine normal traffic patterns for several applications while monitoring queue sizes.

The following example is an IDS configuration file:

########################################################################
########################################################################
# TR Policies
########################################################################

#-----------------------------------------------------------------------
# TR - IDSRule
#-----------------------------------------------------------------------
IDSRule                    TRUdp-rule
{
  ConditionType            TR
  Priority                 2
  IDSTRConditionRef        TRUdpCondition
  IDSActionRef             TRUdpLogLimit-action
}

#-----------------------------------------------------------------------
# TR - IDSTRCondition
#-----------------------------------------------------------------------
IDSTRCondition             TRUdpCondition
{
  Protocol                 Udp
  LocalPortRange           1-1023
  TRUdpQueueSize           Long
}

#-----------------------------------------------------------------------
# TR - IDSAction
#-----------------------------------------------------------------------
IDSAction                  TRUdpLogLimit-action
{
   ActionType              TR LIMIT
   IDSReportSetRef         LogStatReportSet
}

#-----------------------------------------------------------------------
# IDSReportSet
#-----------------------------------------------------------------------
IDSReportSet               LogStatReportSet 
{                                           
   TypeActions             Log              
   TypeActions             Statistics       
}

If you are using LDAP to define policy, see IDS UDP traffic regulation policy example.

Restriction: LDAP policy cannot be used to define UDP traffic regulation policy that specifies IPv6 addresses.