ZeXtras Suite and the Zimbra DoSFilter

From ZeXtras Suite Wiki

Jump to: navigation, search
Language: English  • español • português
Zextras logo box.png
ZeXtras Suite
Latest Version: 2.4.12
Released on: August 10th, 2017
Compatibility List
Changelog
FAQ
License Management

The Zimbra DOS Filter

Starting from Zimbra 8.0.0, a connection throttling mechanism called DOS Filter has been added in order to reduce the impact of Denial of Service attacks. By default the DOS Filter only allows for 30 connections per second, rejecting any exceeding connection with a 503 HTTP error.

How the DOS Filter can affect your ZeXtras Suite experience

Being an Administrative Zimlet, the ZeXtras Administration Zimlet is loaded upon logging into the Zimbra Administration Console, and in order to retrieve all relevant data many requests are done. This can trigger Zimbra's DOS Filter, causing slowness, AJAX Errors and general UI corruption (e.g. empty Text Boxes or incoherent checkbox state).

Managing the DOS Filter

There are 3 different configuration properties controlling the DoS Filter:

zimbraHttpDosFilterMaxRequestsPerSec

This property defines the number of allowed concurrent connections per client. The default is 30.

zimbraHttpDosFilterDelayMillis

This property defines the delay imposed any connection that exceeds the allowed limit.

This property can be set to any integer value, which will become the delay imposed on exceeding connections or:

  • "-1", which means "Reject"
  • "0", which means "No Delay"

The default value is -1

zimbraHttpThrottleSafeIPs

This property defines a list of "safe" IPs for which DoS Filter rules do not apply. Multiple addresses can be specified as a comma separated list.

Warning.png Warning!

All of this properties require a mailboxd service restart in order for any change to be applied

Dealing with Zimbra Admin Console connection issues

If you are experiencing any of the issues described above, you can check if the cause is the DoS Filter by using your browser's Developer Tools before logging into the Zimbra Administration Console: if you can see any 503 errors then the DoS Filter has probably kicked in and is throttling the connections you are making to the Zimbra Administration Console.

In this case, you should either:

  • Add your client IP to the zimbraHttpThrottleSafeIPs list (perfect if your client has a static IP address)
  • Raise the number of allowed connections. According to our tests, 100 allowed connections per second should solve any loading issues (however, this depends by a number of different factors).
Personal tools