vADC Forum

Reply
Contributor
Posts: 29
Registered: ‎10-19-2013
Accepted Solution

Service Protection Class and reporting

Hi,

we are using a service protection class, and some of the requests are rejected (due to some limits we have in this service protection class).

This seems to me working fine.

27/Jan/2015:08:55:36 +0100 DOS Service Protection Class tp_service_protection: Request from 93.111.39.15 rejected because of request size

But is there a way to find out, which request is blocked? i can't find any information in one of the logs.


I don't even find, which setting from the service protection class is responsible for this rejecting (http-header size? http-url length? )


Any ideas?


KR,

Jochen Maurer

Brocadian
Posts: 232
Registered: ‎11-29-2012

Re: Service Protection Class and reporting

Jochen,

     Apologies for the late reply - I went back to the Engineering team for guidance, and with all the Brocade acquisition stuff, it fell off my radar.

As an aside, I have raised an internal bug to have the actual setting strings logged in the message as well to make it easier to decode for administrators...

Which Setting?

The "HTTP Specific Settings" section has 6 attributes it can check.  Each generates a corresponding report message in the log. 

The correspondences are:

       http!check_rfc2396  -->  "URL broke RFC 2396"

       http!max_body_length  -->  "rejected because of body data size"

       http!max_header_length  -->  "rejected because of header size"

       http!max_request_length  -->  "rejected because of request size"

       http!max_url_length  -->  "rejected because of URL size"

       http!reject_binary  -->  "contained binary data"

(This is the current text in version 9.9; )


So the "rejected because of request size" message is from a violation of the "http!max_request_length" setting.


Which Request?

The "debug" setting in the Service Protection Class gives more information for some violations (such as http!max_header_length exceeded), but not for violations of http!max_request_length.

But we can handle these requests using TrafficScript.  The documentation for "http.getRequest()" (on the TS help page https://localhost:9090/apps/zxtm/help.fcgi?section=TrafficScript%20Reference#http.getRequest) is an example of exactly this:

# Check that the request is not too big

# for our servers

$request = http.getRequest();

if( string.len( $request ) > 2048 ) {

   http.sendResponse( "413 Request too large",

                      "text/plain",

                      "Request too large", "" );

}

So:

1. Put that in a rule, edit it to log whatever you want.

2. Set the "http!max_request_length" setting to 0 in the Service Protection class.

3. Set the Service Protection class to call the rule (section: "Service Protection Rule").

Brocadian
Posts: 232
Registered: ‎11-29-2012

Re: Service Protection Class and reporting

Jochen,

how did you go with the details in my last post?

A.

Contributor
Posts: 29
Registered: ‎10-19-2013

Re: Service Protection Class and reporting

sorry, missed your answer.

thats exactly what i've searched for...

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Click to Register
Download FREE NVMe eBook