3.7 SSL Renegotiation DOS Attack Protection

A client can attack the SSL server by sending a number of renegotiation (SSL handshake) requests to it. This can overwhelm the server and the server can go down. To prevent such attacks you can limit the renegotiation requests from a particular client by setting a threshold.

3.7.1 Configuration

  1. Goto <Installation Path>/config/unifi.xml.

  2. In the unifi.xml file edit the following line based on your requirement:

    <SSL reneg_dos_protection="1" reneg_dos_clt_threshold="300" reneg_dos_session_timeout="1800"/>

    reneg_dos_protection: Set the value to 1 to enable this feature and 0 to disable. The default value is 0.

    reneg_dos_clt_threshold: The threshold limit set for the number of renegotiation requests that can be sent from a client per second. The default value is 300.

    reneg_dos_session_timeout: The duration of the timeout session when the renegotiation requests exceed the threshold value. The client will be blocked for this duration and any subsequent connection from the client will be rejected by the server. The default value is 1800s.

  3. Save the file.