Node Shield

Nova Node Shield is a DoS/DDoS protection layer for Nova Nodes. In a safe configuration only the Nova Nodes for your service will be exposed (e.g. publicly reachable) meaning your origin servers (e.g. webservers) can be entirely shielded from attacks.

The Node Shield then provides a layer of protection against DoS attacks against the nodes running your ADCs. At peak capacity a given Node can mitigate up to 1,000,000 packets per second of "bad" traffic, keeping you online against most DoS attacks. The Nova WAF handles Layer 7 protection for origin servers.

Node Shield is available under the Node Features menu item.

Shield Options

Nova Node Shield has several options for protecting your Nodes. Once saved they automatically apply to all your current Nodes, and are loaded on any new Nodes when they connect.

We have a recommended defaults option on the page which is perfect for most users.

Drop Invalid Packets

Automatically drop invalid packets, preventing some basic flood attacks. Nova tracks the state of all packets with it's local firewall, and can easily drop any out-of-state packets.

Drop New TCP without SYN

Drop new TCP sessions that do not have the SYN flag set. Sessions that we have not previously seen should always the SYN flag set, meaning they are establishing a new connection. If they do not then Nova should already be tracking it as an active connection. This will drop anything that does not match this expected pattern.

Drop SYN with suspicious MSS

Drop SYN packets with MSS values outside of typical ranges. Nova Nodes expect to see MSS values between 536 and 65535. This will automatically drop anything that does not fit within that range - typically packets designed to avoid IDS.

Drop Bogus Flags

Drop TCP packets with invalid combinations of TCP flags. Nova can automatically discard any packets that have a set of flags which should not exist. For example, SYN,RST.

Drop All ICMP

Prevent Nova Nodes from receiving any ICMP packets. ICMP is not required in the function of Nova Nodes, and blocking it can be useful for hiding from ping sweeps, and preventing discovery or ping floods.

Drop All Fragments

Drop all fragmented packets on Nova nodes. This prevents TCP fragmentation, a common IDS bypass technique.

Limit IP active connections

Limit individual IP addresses to a maximum of 200 open connections. You may need to disable this if you have a large number of connections coming from a single source IP.

Limit IP connections per second

Limit individual IP addresses to a maximum of 60 connections per second. You may need to disable this
if you have a large number of connections coming from a single source IP.

Limit RST PPS

Limit the number of RST packets per second. This helps prevent DoS attacks and slow down discovery methods like port scans.

System Self-Protection

Enable various rules to protect the Nova Node itself. This rate limits SSH connections should you be allowing them, and sets up several anti-port scan rules on the Node.

Block Pingback DoS

Prevent WordPress pingback/trackback DoS attacks from hitting upstreams. Nova can perform a Layer 7 DPI inspection on traffic and drop any WordPress pingback/trackback messages. These are commonly used to create large scale DDoS attacks.