A reverse proxy as a traffic shaper for agents for TAD4D/iLMT
Problem statement:
Dealing with the overwhelming traffic coming to a network device is a task that
should be taken into account during the vulnerability analysis of all computer-based
infrastructures. Even more applying to the case of a server which is supposed to receive the traffic from many network devices as it takes place in the case of a
TAD4D/iLMT server. The technote below discusses external measures that can be
taken to limit the network traffic which has to be analyzed by a TAD4D/iLMT server.
Background information:
Starting with release 7.2.2.2, IF3 TAD4D/iLMT server introduced a semaphore solution
to handle overload of traffic that comes to the server. There are at least two reasons
for the overload of the traffic:
− A network based DoS/DDoS attack
− Design error in the allocation of scan groups
Too many agents competing for a server might lead to overloading the server resources. In order to provide a better protection of the system resources of a
TAD4D/iLMT server one should take the approach of multiple levels of protection.
One can increase protection of the server from overload by providing the existing internal measure with an additional layer - a traffic shaper that limits the amount of
connection coming to the server. The guide below shows how to do that.
Solution:
IBM HTTP Server (IHS) configured in the reverse proxy server mode with configuration that allows to limit the number of simultaneous connections can be used as an
efficient layer limiting the traffic to the required level. If the IHS server cannot be
used, an Apache server can take exactly the same role and all the guidelines provided
below can be used in an unchanged form.
1.
Server installation
One should follow standard IHS or Apache server installation. Documentation
of IHS configuration can be found here. Guides describing the installation of
Apache on a specific platform can be easily found on the Internet.
2. Reverse proxy configuration
The document describing how to configure IHS/Apache as a reverse proxy in
front of TAD4D/iLMT server can be found here.
3. Traffic shaping part of the server configuration
The technote “Tuning IBM HTTP Server to maximize the number of client connections to WebSphere Application Server” available here describes using IHS
an optional module mod_mpmstats which we are going to use to do the
traffic shaping. The guidelines of a configuration of MPM module in a standard Apache server is available in many guides on the Internet. If you use
Apache server instead of IHS you can start e.g. with the guide available here.
No matter if you use IHS or Apache, start with the following parameters for
the number of web servers that run simultaneously:
StartServers 50
ServerLimit 50
MaxClients
50
Redirect the agents' traffic to reverse proxy. You can achieve that in multiple
ways, use that one that works best for you:
• change the server agents contact
• move TAD4D/iLMT server to another IP/port and make the proxy
server listen on the IP/port which was used by TAD4D/iPLMT
• if you use a DNS name in agents you might also change a DNS record
Then, use the scripts new_conn.sh and db_conn.sh available in appendixes in order to monitor the number of new TCP connections to the
TAD4D/ILMT and the number of connections to the database. Tune the number of started servers so that the number of connections to the database is
not bigger then 45.
Attention! It is very important for the user of this guide to realize the danger of limiting the traffic too much. Excessive throttling of the legitimate agent traffic to might lead to the creation of missing scans.
Appendixes:
1. A script that allows to monitor the number of new connections in realtime
2. A script that allows to monitor the number of connections to the database in
realtime