ZeXtras Suite and the Zimbra DoSFilter
From ZeXtras Suite Wiki
|Language:||English • español • português|
|Latest Version: 2.4.11|
|Released on: June 9th, 2017|
The Zimbra DOS Filter
Starting from Zimbra 8.0.0, a connection throttling mechanism called DOS Filter has been added in order to reduce the impact of Denial of Service attacks. By default the DOS Filter only allows for 30 connections per second, rejecting any exceeding connection with a 503 HTTP error.
How the DOS Filter can affect your ZeXtras Suite experience
Being an Administrative Zimlet, the ZeXtras Administration Zimlet is loaded upon logging into the Zimbra Administration Console, and in order to retrieve all relevant data many requests are done. This can trigger Zimbra's DOS Filter, causing slowness, AJAX Errors and general UI corruption (e.g. empty Text Boxes or incoherent checkbox state).
Managing the DOS Filter
There are 3 different configuration properties controlling the DoS Filter:
This property defines the number of allowed concurrent connections per client. The default is 30.
This property defines the delay imposed any connection that exceeds the allowed limit.
This property can be set to any integer value, which will become the delay imposed on exceeding connections or:
- "-1", which means "Reject"
- "0", which means "No Delay"
The default value is -1
This property defines a list of "safe" IPs for which DoS Filter rules do not apply. Multiple addresses can be specified as a comma separated list.
Dealing with Zimbra Admin Console connection issues
If you are experiencing any of the issues described above, you can check if the cause is the DoS Filter by using your browser's Developer Tools before logging into the Zimbra Administration Console: if you can see any 503 errors then the DoS Filter has probably kicked in and is throttling the connections you are making to the Zimbra Administration Console.
In this case, you should either:
- Add your client IP to the zimbraHttpThrottleSafeIPs list (perfect if your client has a static IP address)
- Raise the number of allowed connections. According to our tests, 100 allowed connections per second should solve any loading issues (however, this depends by a number of different factors).