Use Services to filter traffic. Services classify traffic based on criteria for Layers 3 – 7. A Service is a configuration of a basic filter, which may combine with logical operators to achieve more sophisticated filters (AND Group filters and OR Group filters). DDoS Protector supports a long list of predefined basic filters. A basic filter includes attributes that specify parameters such as protocol, application port, and content type. When the protocol of a basic filter is TCP or UDP, the filter can include a text string.
DDoS Protector Web Based Management User Guide | 155 A basic filter includes the following components:
Protocol—The specific protocol that the packet should carry. The choices are IP, TCP, UDP, ICMP, NonIP, ICMPV6, and SCTP. If the specified protocol is IP, all IP packets (including TCP and UDP) will be considered.
When configuring TCP or UDP, the following additional parameters are available:
Destination Port (From-To)—Destination port number for that protocol. For example, for HTTP, the protocol would be configured as TCP and the destination port as 80. The port configuration can also allow for a range of ports to be configured.
Source Port (From-To)—Similar to the destination port, the source port that a packet should carry in order to match the filter can be configured.
Offset Mask Pattern Condition (OMPC)—The OMPC is a means by which any bit pattern can
be located for a match at any offset in the packet. This can aid in locating specific bits in the IP header, for example. TOS and Diff-serv bits are perfect examples of where OMPCs can be useful. It is not mandatory to configure an OMPC per filter. However, if an OMPC is configured, there should be an OMPC match in addition to a protocol (and source/destination port) match. In other words, if an OMPC is configured, the packet needs to match the configured protocol (and ports) and the OMPC.
Content Specifications—When the protocol of a basic filter is TCP or UDP, you can search for
any text string in the packet. Like OMPCs, a text pattern can be searched for at any offset in the packet. HTTP URLs are perfect examples of how a text search can help in classifying a session. You can choose from the many types of configurable content—for example, URL, hostname, HTTP header field, cookie, mail domain, mail subject, file type, regular expression, text, and so on. When the content type is URL, for example, the module assumes the session to be HTTP with a GET, HEAD, or POST method. The module searches the URL following the GET/HEAD/POST to find a match for the configured text. In this case, the configured offset is meaningless, since the GET/HEAD/POST is in a fixed location in the HTTP header. If the content type is text, the module searches the entire packet for the content text, starting at the configured offset.
By allowing a filter to take actual content of a packet/session into account, the module can recognize and classify a wider array of packets and sessions.
Like OMPCs, Content Rules are not mandatory to configure. However, when a Content Rule exists in the filter, the packet needs to match the configured protocol (and ports), the OMPC (if one exists) and the Content Rule.
Note: If you edit the parameters of the filter, which is bound to the existing policy, you need to activate the latest changes.
To configure a basic filter
1. Select Classes > Modify > Services > Basic Filters. 2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set.
Parameter Description
Name The name of the filter.
Protocol Values: IP TCP UDP ICMP NonIP ICMPV6 SCTP Default: IP
Source App.port The Layer-4 source port or source-port range for TCP, UDP, or SCTP traffic. Values: A value in the range 0 – 65,535; value ranges (for example, 30 – 400) greater than the Source Port Range From value; dcerpc, dns, ftp, h225, http, https, imap, irc, ldap, ms-sql-m, ms-sql-s, msn, my-sql, oracle, ntp, pop3, priviledged-services, radius, rexec, rshell, rtsp, sccp (skinny), sip, smb, smtp, snmp, ssh, ssl, sunrpc, telnet, tftp
Destination App. Port
The Layer-4 destination port or destination-port range for TCP, UDP, or SCTP traffic.
Values: values in the range 0 – 65,535; value ranges (for example, 30 – 400) greater than the Destination Port Range From value; dcerpc, dns, ftp, h225, http, https, imap, irc, ldap, ms-sql-m, ms-sql-s, msn, my-sql, oracle, ntp, pop3, priviledged-services, radius, rexec, rshell, rtsp, sccp (skinny), sip, smb, smtp, snmp, ssh, ssl, sunrpc, telnet, tftp
OMPC Offset The location in the packet where the data starts being checked for specific bits in the IP or TCP header.
Values: 0 – 1513 Default: 0 OMPC Offset
Relative to
Specifies to which OMPC offset the selected offset is relative. Values: None IPv4 Header IPv6 Header IP Data L4 Data ASN1 Ethernet L4 Header Default: None
DDoS Protector Web Based Management User Guide | 157 OMPC Mask The mask for OMPC data. The value must be defined according to the OMPC
Length parameter.
Values: Must comprise eight hexadecimal symbols Default: 00000000
OMPC Pattern The fixed-size pattern within the packet that the OMPC rule attempts to find. The value must be defined according to the OMPC Length parameter. The OMPC Pattern must contain eight hexadecimal symbols. If the value for the OMPC Length parameter is smaller than Four Bytes, you need to pad the OMPC Pattern with zeros. For example, if OMPC Length is two bytes, the OMPC Pattern can be abcd0000.
Values: Must comprise eight hexadecimal symbols Default: 00000000
OMPC Condition Values: None Equal Not Equal Greater Than Less Than Default: None OMPC Length Values:
None One Byte Two Bytes Three Bytes Four Bytes Default: None
Content Offset The location in the packet at which the checking of content starts. Values: 0 – 1513
Default: 0
Distance A range that defines the allowed distance between two content characters. If the distance is beyond the specified range, it is recognized as an attack. Content The value of the content search.
Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~
Content Type The specific content type to search for. Values:
None
URL—A URL in the HTTP request URI. Text—Text anywhere in the packet.
Hostname—A hostname in the HTTP header. The host names in the Hostname List of an L7 Policy are not algorithmically related to a host name configured for a basic filter.
Header Field—A header field in the HTTP header.
Expression—Text anywhere in the packet represented by a regular expression specified in the Content field.
Mail Domain—The Mail Domain in the SMTP header. Mail To—The Mail To SMTP header.
Mail From—The Mail From SMTP header. Mail Subject—The Mail Subject SMTP header.
File Type—The type of the requested file in the HTTP GET command (for example, JPG, EXE, and so on).
Cookie—The HTTP cookie field. The Content field includes the cookie name, and the Content Data field includes the cookie value.
Normalized URL—A normalized URL in the HTTP request URI. POP3 User—The POP3 User field in the POP3 header.
URI Length—Filters according to URI length.
FTP Command—Parses FTP commands to commands and arguments, while normalizing FTP packets and stripping Telnet opcodes.
FTP Content—Scans the data transmitted using FTP, normalizes FTP packets and strips Telnet opcodes.
Generic Url—The generic URL in the HTTP Request URI. No
normalization procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on.
Generic Header—In the HTTP Request URI. No normalization
procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on. Generic Cookie—In the HTTP Request URI. No normalization procedures
are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on.
Default: None
Content End Offset The location in the packet at which the checking of content ends. Values: 0 – 1513
Default: 0
DDoS Protector Web Based Management User Guide | 159 Content Coding The encoding type of the content to search for (as specified in the Content
field). Values: None Case Insensitive Case Sensitive HEX International Default: None
Note: The value of this field corresponds to the Content Type parameter. Content Data
Coding
The encoding type of the content data to search for (as specified in the Content Data field).
Values: None Case Insensitive Case Sensitive HEX International Default: None
Note: The value of this field corresponds to the Content Type parameter. Description A description of the filter.
Session Type The specific session type to search for.
Values: None, Ftp Control, Ftp Data, Ftp All, Tftp Control, Tftp Data, Tftp All , Rshell Control, Rshell Data, Rshell All, Rexec Control, Rexec Errors, Rexec All, H225 Control, H245 session , H225 All, SIP Signal, SIP Media Control, SIP Audio, SIP All
Default: None Session Type
Direction
The specific direction of the specified session type to search for. Values: All, Request, Reply
Default: None