Create L7 DoS Profile

Multicloud Defense Gateways provide the ability to monitor, detect, and remediate application layer attacks by continuously monitoring the client requests to a backend web server. Layer 7 DoS attacks are targeted at depleting web server resources, affecting service availability by sending many HTTP requests. This feature is enabled when the gateways are enabled to proxy inbound connections to a backend web service to maintain availability of web based applications. Enabling this feature also allows the gateways to provide additional security for cases where a frontend load balancer may not support, or, may not be optimized to detect and remediate against application DoS attacks.

This feature can also be used to provide DoS protection against backend web servers hosting API services.

Procedure

Step 1

Navigate to Policies > Profiles > Layer 7 DOS.

Step 2

Select Layer 7 DOS.

Step 3

Provide a unique Profile Name.

Step 4

(Optional) Enter a Description. This may help differentiate between other profiles that may have similar names.

Step 5

Add Request Rate Limits.

Limiting excessive requests to a resource is based on the following parameters. The values for these parameters should be based on measuring and understanding the traffic patterns for your web services to be protected by the Layer 7 DoS option.

Parameters

Parameter

Description

URI

A relative URI used to indicate the path to limit requests for a resource. For example, if you intend to monitor and protect your service resource at https://www.example.com/login.html, you would enter /login.html as the URI parameter in the Request Rate Limits table.

HTTP Methods

HTTP methods can be specified per-resource URI to control which HTTP methods in the client requests are rate limited and which ones are not. You can select multiple methods from the drop down for each row in the table. An empty HTTP method list means that method is ignored and the rate applies to all calls to the resource.

Note

The rate is applied for each resource; therefore, multiple methods share the rate limit specified in the Request Rate in that row. For example, if the rate is 3 requests for every second, and GET, POST and PUT are specified in the HTTP Methods, and 2 GETs and 1 POST happen to that URI from a single client IP in the same second, a PUT will NOT be allowed in that same second.

Request Rate

The number of requests for every second. It determines the rate at which a single client can send requests to the URI resource mentioned in the URI part of the rule.

Burst Size

Specifies the maximum number of simultaneous requests that a client can send to the URI resource mentioned in the URI part of the rule. Any requests beyond this threshold, arriving at the proxy at the same time, will not be sent to the backend server.

Step 6

Click Save when completed. The order of the rules is important based on the URI as the rules are checked from the top down and applied on first match. If the URI added higher in the list includes a resource path that includes resources in the rules below it, the first rule matched will be applied.

What to do next

View a Profile Details
Add the L7 DoS profile to a service object. Then, Add a Gateway Association to a Profile. Note that if you update a rule set, changes may not be deployed immediately.