|This article applies to the following ZCS versions.|
DoSFilter Throttling Mechanism
The denial-of-service filter or DoSFilter was added to the mailbox server in ZCS 8.0 to throttle clients sending a large number of requests over a very short period of time. The DoSFilter is applied to all requests for service, mailbox and admin. This feature was added with the completion of bug 66921.
DoS filtering is enabled by default once ZCS 8 is installed. It may be necessary to adjust the configuration to accommodate specific environmental needs. Disabling DoSFilter is not recommended.
Identifying False Positives
It is possible for clients such as Zimbra Connector for Outlook (ZCO), mobile ActiveSync, zmprov, etc. to trigger the DoSFilter. To the client, the Zimbra mailbox service is unavailable. DoSFilter can be identified on the server in the following ways:
2013-01-15 15:52:20,426 WARN [qtp1635701107-91:https://10.10.0.54:443/Microsoft-Server-ActiveSync?User=zsupport2&DeviceId=Appl5K0113UN3NR&DeviceType=iPhone&Cmd=FolderSync][email@example.com;mid=64;ip=18.104.22.168;Cmd=FolderSync;DeviceID=Appl5K0113UN3NR;Version=12.1;] sync - Service exception com.zimbra.common.service.ServiceException: error while proxying request to target server: HTTP/1.1 503 Service Unavailable ExceptionId:qtp1635701107-91:https://10.10.0.54:443/Microsoft-Server-ActiveSync?User=zsupport2&DeviceId=Appl5K0113UN3NR&DeviceType=iPhone&Cmd=FolderSync:1358286740426:c5ca7f36bb0a038f Code:service.PROXY_ERROR Arg:(url, STR,"http://mail.domain.com:80/service/soap/SyncRequest")
2013-01-15 15:57:32.537:WARN:oejs.DoSFilter:DOS ALERT:ip=127.0.1.1,session=null,user=null
The configuration attributes zimbraHttpDosFilterDelayMillis, zimbraHttpDosFilterMaxRequestsPerSec and zimbraHttpThrottleSafeIPs. Each attribute is server inherited from global or is configurable at the sever level. Our recommendation is to preserve the default configuration whenever possible.
DoSFilter Delay (milliseconds) - zimbraHttpDosFilterDelayMillis
Delay imposed on all requests over the rate limit, before they are considered at all. -1 = Reject request, 0 = No delay, any other value = Delay in ms. The default is -1.
To modify in the global configuration; e.g. set the delay to 20ms:
zmprov mcf zimbraHttpDosFilterDelayMillis 20
DoSFilter Maximum Requests Per Second - zimbraHttpDosFilterMaxRequestsPerSec
Maximum number of requests from a connection per second. Requests in excess of this are throttled. The default is 30 and the minimum is 1.
To set the maximum number for requests in the global configuration:
zmprov mcf zimbraHttpDosFilterMaxRequestsPerSec 100
DoSFilter IP Addresses Whitelist - zimbraHttpThrottleSafeIPs
IP addresses to ignore when applying Jetty DosFilter. This attribute does not have a default value, however these loopback IPs are whitelisted by default:
IP addresses should be supplied in the multi-valued zimbraHttpThrottleSafeIPs attribute. CIDR notation can be used. To modify:
zmprov mcf zimbraHttpThrottleSafeIPs 10.1.2.3 zimbraHttpThrottleSafeIPs 192.168.4.5 zimbraHttpThrottleSafeIPs 192.168.1.0/24
or to append to an existing list of multi-valued zimbraHttpThrottleSafeIPs
zmprov mcf +zimbraHttpThrottleSafeIPs 10.1.2.3 zmprov mcf +zimbraHttpThrottleSafeIPs 192.168.4.5 zmprov mcf +zimbraHttpThrottleSafeIPs 192.168.1.0/24
Mailbox server restart
A mailbox server restart is required when modifying these attributes.
Tuning Considerations - 8.0.3 and later
ZCS Member Servers
ZCS servers under the control of a single master LDAP server are automatically whitelisted by IP address. These hosts are discovered using a GetAllServersRequest call; i.e., zmprov gas.
External Provisioning Hosts/SOAP API
External provisioning hosts may be added to the IP whitelist to ensure DoSFilter does not block some requests. For example, a mailbox reindex may make several calls per second that can trigger DoSFilter.
ZCS 8.0.0 - 8.0.2
See this link on the Zimbra forums for information on configuring DoSFilter for ZCS 8 versions prior to 8.0.3.