42NN42020-105 MCS 5100 Release 4.0 Standard 01.06 November 2007DoS attack protectionDenial of Service (DoS) attacks cause a temporary blocking of HTTP and HTTPSrequests from a particular source if an HTTP or HTTPS request rate threshold isexceeded. After the system detects an abnormal rate of HTTP traffic, it drops allHTTP requests from that particular source. The source of HTTP traffic isidentified by IP address. Administrators configure a list of IP addresses that areexempt from DoS protection.The HTTP DoS protection feature is enabled or disabled on a network-elementbasis.To enable the HTTP DoS protection feature1 From the System Management Console, select Network Elements >Provisioning Managers > PROV1 > Configuration Parameters >HTTPDoS. The default value is false (disabled).2 To enable HTTP DoS protection, configure the value to true.The default behavior is to temporarily block out http requests from a source IPafter exceeding a sustained rate of 3 HTTP transactions per second. Amark-and-sweep audit automatically removes the lockout condition. Thismark-and-sweep audit runs every 60 seconds, which translates to a lockoutduration of 60 to 120 seconds.The system detects and blocks up to 10 000 sources based on the source IPaddress. A log is generated each time a source IP address is locked. IndividualHTTP requests that are dropped during the lockout period are not logged.A token bucket algorithm is used to detect the rate threshold. Each endpoint isassigned a bucket, which holds a limited number of tokens. Tokens can be addedto the bucket on a regular time interval. One token is taken from the bucket foreach HTTP transaction. The bucket size, sample interval, and the fill ratedetermine the permitted burst size and length.An administrator can configure the following HTTP DoS parameters using theSystem Management Console (in this section, MAXINT refers to 2147483647(that is, 231-1):