The purpose of load control is to help keep Tectia Server for IBM z/OS running when the load is high (that is, the number of current connections is near the maximum allowed number of connections). High load might be caused by a connection flood denial-of-service attack that tries to make the server unavailable to its intended users by using so much of its resources that normal service is disrupted.
Load control is implemented by keeping a "white list" of the IP addresses of connections that have had a successful authentication. When Tectia Server for IBM z/OS starts, the white list is empty. When the server's load is high, connections from IP addresses that are not on the white list (that is, connections that have not recently had a successful authentication) are discarded.
Load control uses four configuration variables in the
It is recommended to set
The level of load is measured by how near the number of the server's current connections is to
MaxConnections, the maximum number of connections that the server will handle simultaneously. The argument for
MaxConnections is a positive number. The default value is
1000, and the value
0 (zero) means that the number of connections is not limited.
MaxConnections must be greater than 1 when load control is used.
LoadControl.Active can have a value of
no. The default value is
no (load control is disabled). To enable load control, set
When the number of concurrent connections is greater than
LoadControl.DiscardLimit, connections from IP addresses that have not recently had a successful authentication are discarded. When the number of concurrent connections is not greater than
LoadControl.DiscardLimit, connections are accepted from any IP address (subject to restrictions defined with
DenyHosts). The allowed value range of
LoadControl.DiscardLimit is from
MaxConnections-1. The default value is 90 percent of the value of
MaxConnections. If you have not defined any configuration settings (that is, only
sshd2_config default values are used), the value of
Tectia Server for IBM z/OS keeps a list of the IP addresses of connections that have had a successful authentication. This "white list" has space for a fixed number of unique IP addresses, specified by
LoadControl.WhitelistSize. The default value of
LoadControl.WhitelistSize is 1000.