Personal dashboard: Ports and protocols

Note

In the default configuration, this section of the personal dashboard is available only to users in the Administrative and Technical groups. Editing the settings is available only to users in the Technical group.

In the Ports and protocols section of the personal dashboard, you can specify the directions and volume of legitimate traffic that is expected for the IP addresses of the current service.

How it works

The data in this section is entered as a list of entries. Each entry (except IP service → ANY) contains information about one network protocol allowed. Depending on the protocol, the entry may also contain additional settings specifying the port allowed for that protocol and the traffic limit applied to it.

All inbound and outbound traffic that is not described in any entry for any of the services will be considered illegitimate and discarded when passing through Qrator Labs data scrubbing centers. See Connection: BGP for more information about BGP.

The following entry types are available:

  • ApplicationDNS

    Add such an entry if your DNS server, whose traffic you're protecting with Secure DNS from Qrator Labs, is running on the specified port. Inbound traffic to the specified port from secondary or caching DNS servers of Qrator Labs as well as response outbound traffic to the specified port will be considered legitimate. Note that adding this entry does not automatically activate the Secure DNS service. Contact Qrator Labs tech support to configure the service correctly.

    Tip

    If you're not going to use Qrator Labs Secure DNS, but want the traffic to your DNS server to be treated as legitimate, you can, instead of this entry, just add Application → TCP or Application → UDP with the required port (usually 53).

  • ApplicationHTTP

    Add such an entry if there is a web server running HTTP or HTTPS on the specified port. Traffic will be analyzed to detect attacks specific to these protocols as described in HTTP reverse proxy.

    For this entry, an additional setting Secure upstream connection is available. If the web server on the specified port works on HTTPS, enable this setting. Otherwise, leave it disabled.

  • ApplicationTCP
    ApplicationUDP

    Add one of these entries to allow inbound traffic over any protocol that runs on TCP or UDP on specific ports, as well as its corresponding response outbound traffic. With this setting, Qrator Labs data scrubbing centers will not apply to this traffic any analysis specific to higher layer protocols.

    Unlike IP service → TCP and IP service → UDP, these entries describe only user-initiated traffic. This means that inbound traffic is always allowed, but outbound traffic is only allowed when it is sent in response to inbound traffic from a user, for example, as part of a user-initiated TCP session.

    For UDP, an additional setting – Speed limit – is available. The specified limit applies separately to inbound and outbound UDP traffic on the specified port. All traffic exceeding the limit will be discarded even if the user IP address is in the whitelist.

  • IP service → (protocol)

    Add an entry specifying the particular protocol from the IP service section to allow inbound and outbound traffic using the selected protocol. The traffic protocol is determined by headers in the IP packets. All protocols described in Assigned Internet Protocol Numbers are available.

    For any protocol other than TCP, an additional setting – Speed limit – is available. The specified limit applies separately to inbound and outbound UDP traffic on the specified port. All traffic exceeding the limit will be discarded even if the user IP address is in the whitelist.

    The Speed limit setting is unavailable for TCP. Instead, outbound traffic is automatically considered legitimate within user-initiated TCP sessions.

  • IP serviceANY

    Add such an entry to allow a certain amount of inbound and outbound traffic not allowed by other entries. The Speed limit setting is available for this entry; it specifies how much unidentified traffic is considered acceptable. The same limit applies separately to unidentified inbound and outbound traffic.

    This entry is always applied last. So, only traffic that has not been described by any other entry falls into this category.

    Warning

    When describing the traffic that should be allowed for your service, it's very easy to forget about some infrequent type of inbound or outbound requests and thus accidentally block some service functionality. We recommend creating an ANY entry to compensate for such an error.

    Most often, it makes sense to create an ANY entry with a small limit, based on the assumption that in reality the volume of traffic not described by other entries will be zero. After that, guided by logs and service statistics, add new entries if necessary, describing traffic not previously provided for.

  • Other optionsFragmented IP packets

    Add such an entry to allow delivery of fragmented IP packets. This option may be necessary, for example, for some SIP protocols.

    For this entry, the Speed limit setting is available, specifying exactly how many fragmented packets are considered acceptable. The specified limit applies separately to inbound and outbound traffic.

  • Other optionsOutbound TCP

    Add such an entry to allow outbound TCP traffic. No port is specified for this entry, since outbound TCP traffic is sent from randomly selected ports.

View list of entries

To view a list of entries:

  1. In the Services section of the dashboard, select the required service.

  2. Select Ports and Services.

The page will display a list of entries, each describing a specific type of traffic allowed; see How it works.

For each entry, the following is displayed:

  • Direction of allowed traffic:

    • Inbound — User-initiated traffic is allowed
    • Outbound - Upstream-initiated traffic is allowed
    • Inbound / Outbound - Both types of traffic are allowed
  • Port and protocol of allowed traffic:

    • For entries from the Application category, the name of the allowed protocol and port number are displayed.
    • For entries from the IP service and Other options categories, the name of the allowed protocol is displayed.
  • Speed limit (only for entries for which this setting is available)

  • Upstream connection type (only for Application → HTTP entries):

    • — Unencrypted HTTP traffic is allowed
    • — Encrypted HTTPS traffic is allowed

To quickly find entries, use the filter field above the list. You can enter the following details in the filter:

  • Protocol name, e.g. TCP or DNS
  • Open port number, e.g. 80 or 53, or the ANY string
  • IP number, e.g. 47 for GRE
  • Traffic direction, e.g. input, output

Add entry

To add a new entry describing legitimate traffic, take the following steps:

  1. Go to list of ports and protocols.

  2. At the top of the page, click Add.

  3. In the drop-down lists in the dialog box that appears, select in sequence the category and type of entry you want to add. For more information on types of entries, see How it works.

  4. Depending on the selected entry type, additional settings may become available in the dialog box. In this case, set the required values for the settings.

    • Port number

      Specify the port number of the upstream on which connection will be initiated. Note that many protocols may use a different port for outbound traffic than the port on which the inbound traffic arrived. In this case, for some protocols, outbound traffic corresponding to legitimate inbound traffic also becomes legitimate. For more details on how different protocols are handled, see How it works.

    • Speed limit.

      You must set a speed limit for most types of entries. Select the unit of measure for the limit from the drop-down list: Kbps, Mbps or Gbps (the Gbps option is not available for some protocols). Then set the value by typing it into the text box or moving the slider.

    • Secure upstream connection

      This setting is only available for Application → HTTP entries. Enabling this setting means that HTTPS traffic should be allowed, not HTTP.

  5. Click Save.

  6. To save your changes, click Save in the notification at the bottom of the screen.

Change speed limit

For entries that include a speed limit, you can change this limit at any time after creating the entries.

  1. Go to list of ports and protocols.

  2. Click the speed limit you want to change.

  3. In the dialog box that appears, set the desired speed limit.

    Select the unit of measure for the limit in the drop-down list: Kbps, Mbps or Gbps (the Gbps option is not available for some protocols). Then set the value by typing it into the text box or moving the slider.

  4. Click Save.

  5. To save your changes, click the Save button in the notification at the bottom of the screen.

Delete entry

To delete a single entry:

  1. Go to list of ports and protocols.

  2. Next to the entry you want to delete, click .

  3. To save your changes, click Save in the notification at the bottom of the screen.

To delete multiple entries:

  1. Go to list of ports and protocols.

  2. Mark the entries you want to delete.

  3. Click the Delete link above the list.

  4. To save your changes, click Save in the notification at the bottom of the screen.

Configuration example

Configuration example

In this example, the client has specified the following ports and protocols: