Behavioral DDoS Protection
Introduction
Distributed Denial of Service (DDoS) attacks pose a significant threat to online services by flooding networks with malicious traffic, disrupting access for legitimate users. These attacks not only hinder user experience but can also inflict severe damage on an organization’s reputation and operational efficiency.
To combat this growing threat, we have developed various DDoS protection policies aimed at effectively filtering out harmful traffic and safeguarding web applications.
Types of Policies
There are two different types of DDoS policies
System Defined Policies - These are predefined policies created by the system based on the parameters Host and IP. Customers can configure the policy.
User Defined Policies – These policies are created by customers based on their preferences.
Overview
- Go to WAAP > DDoS Policies.
- Users can view the total number of DDoS policies, system defined policies, and user defined policies.
- Additionally, the section displays the most recent actions taken by the customer, along with a timestamp indicating how many days ago these actions were performed.
System Defined DDoS policies
Navigate to WAAP > List of Rules and Policies > DDoS Policies.
The table given here talks about policy details.
| Parameter | Description |
| Name | This field displays the subdomain. |
| Protection Level | The system defined DDoS policies are applied to all countries. |
| Policy Type | There are two policy types in system defined policies. Host Rate Limiting IP Rate Limiting |
| Rate Limiting | Set rate limiting is based on: Limit requests per host per minute. Limit requests per IP per minute. |
| Last 24h/ Last 7 days | The number of attacks identified after the policy is triggered. |
| Action | We have three different actions here. Log Only Log and Block Add Captcha challenge |
| Enable | A toggle switch is given to enable or disable the policy. |
| Configure | The configure button allows users to edit the system defined policy. |
Configure IP Based System Defined Policy
- Click Configure button in IP based system defined policy.
- By default, name is displayed as website name followed by IP rate limiting policy.
- Example: developement.application.net IP rate limiting policy
- By default, severity is displayed as Critical.
- Follow the three steps to set the rate limit.
Step1:
By default, configured for system defined policies. This field cannot be edited by users.
Step2:
| Number of requests with cookie/IP | Number of requests without cookie/IP | Number of cookies/IP |
The count of requests made by a specific IP address including a valid cookie over a specific period. Note: The requests coming from the same IP or different IP, if the IP exceeds the rate limit, IP will be automatically blocked for the selected lock duration (TTL). | The count of requests made by a specific IP without a valid cookie. | Irrespective of cookies count, the number of cookies allowed per IP. |
Set the rate limit by entering a numeric value or percentage value.
Step 3:
Two different actions are provided here. Additionally, customers can set the block duration and notification email field to add their email address to receive the updates.
Log Only - An email will be sent to the customer when the policy is breached. No further action will be taken even if the requests continue to be received from the same IP.
Log and Block- An email will be sent to the customer when the policy is breached. It blocks further requests for selected block duration.
Block Duration:
By default, 2min block duration is set for all customers. Use up-down arrows to increase or decrease the block duration time.
Notify to Email ID:
Customers can get the executive action details to their mailbox by providing a valid email address.
Display Chart for IP Based System Defined Policy
The chart displays the number of requests with cookie/IP, without cookie/IP, and number of cookies/IP.
Configure Host Based System Defined DDoS Policy
- Click Configure button in Host based system defined policy.
- By default, name is displayed as website name followed by IP rate limiting policy. Example: developement.application.net app rate limiting policy
- By default, severity is displayed as Low.
Follow the three steps to set the rate limit.
Step 1: By default, configured for system defined policies. This field cannot be edited by users.
Step 2:
| Number of requests/Minute | If the number of requests exceed the defined threshold value, then the policy triggers automatically. |
| Number of IPs/Minute | If the number of IPs exceed the defined threshold value, then the policy triggers automatically. |
Set the rate limit by entering a numeric value or percentage value.
Step 3: Once the rate limit is set successfully, details will be sent to the customer provided mail ID.
Display Chart for Host Based System Defined Policy
The chart displays the total number of requests and total number of IPs.
User Defined DDoS Policies
User defined protection policies allow customers to create their own policies and provide more access to DDOS protection.
- Go to User Defined Policies > Add Policy.
- Select either Host rate limiting policy or IP rate limiting policy.
- Enter the policy name.
- Select the countries that you want to allow and severity.
- For host rate limiting policy, set the rate limit for the number of IPs and number of requests.
- For IP rate limiting policy, set the rate limit for number requests with cookies, requests without cookies, and number of cookies.
- Also enter the email to receive the policy updates.
While creating IP rate limiting policy, select the action.
For customers with openresty architecture, if the threshold value breeches a captcha challenge will pop-out.
8. Once the policy is created successfully, the Configure button allows customers to edit the policy.
