Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)
Managed WAF Start at $99

Under the hood of Behavioural DDOS Protection

Posted DateAugust 9, 2021
Posted Time 4   min Read

Blog Series 2 out of 2

In the last blog, we saw why static rate limits do not work and why behavioural DDOS is required.

Now, let’s investigate how these policies work. As mentioned, when a site is onboarded, there are 3 policies that are configured by default. We call them System defined Protection policies-

Host level Policy: 

This is an informational policy that will notify when requests goes beyond a certain level. By default, it is configured to trigger when requests go above 200% of normal max. Max is the maximum requests seen on the application in a minute in last 7 days. This max is calculated every day and adjusted based on application behaviour. So if there is natural variance in the site, it will automatically be accounted for and tuned. By default, notification goes to the website admin and if website admin is not configured then mail is sent to super admin.

This is a good informational level settings that can be used as early warning on increase on load to the system. It should be noted that this does not block any requests at any point, it just tells you that considering the site behaviour in 7 days, the request volume seems to be unusual. It can be used for automating scaling of origin. This notification is also shared to Indusface managed service team who will monitor the site traffic and see if any further action are required.

IP Level Policy. 

This policy is a IP level behaviour rate limiting rule. By default, policy is configured to block requests from an IP if the volume of requests from that IP is more than 200% of last 7 days maximum of any IP. For example, suppose the application normal max seen is 100 requests per minute, and all of a sudden  we see 200 requests in a minute  from 1 particular IP then it will be blocked.

Get URI-Based DDoS Protection for your Applications

This IP level policy will only apply when the requests do not honour cookies and requests are not tracked at a session level. So if there are 1000 requests from an IP, but 800 requests honour cookies then those requests are not considered in the IP level policy. By default these are configured to block and notify website admin. This can be changed as per customers need.

Session Level Policy.

For requests which honour cookies, session level rate limits will be applied. Here, the default configuration is to block if number of requests from a session increases beyond 150% of last 7 days maximum. If typically a user sends 20 requests per minute but all of sudden starts sending 31 requests per minute then they will be blocked.

Session rules and IP rules work together, one is not a replacement of another , both should be enabled for an application to get maximum protection.

User Configurations:

Users are provided various controls.

  • Users can also create new policies at any level, IP, session or host level. This is essentially for users to configure multiple level of alerts and actions. So customer can choose to be alerted when requests go 120% of max of last 7 days and block at 150% giving additional controls to customer.
  • Users can
    • Change the settings and configure when the policies should be triggered. 2 options are available
      • By Formula (Recommended)
        • Set % above (Max or Median) of last 7 days when the policy should be triggered
      • By Value
        • Set static value at which rate limit should be triggered.
      • Change the person who should be notified when policies are triggered
        • More than 1 email address can be configured.
      • Change the action to be taken on the policies
        • No action – typically used with notify option
        • Log
        • Block ( Block option is not available for host level policy)
      • Disable any system configured policy
      • Delete any user defined policy.

Additional Behaviours: 

  • If block is configured, the IP/session will be blocked for 2 minutes.
  • If attack continues, the block will be extended until AppTrana does not see any request from the IP/session for a 2 minute period.
  • If notification is triggered for an IP/session/host , then notification won’t be repeated for next 10 minutes for same IP/session/host. So notification will be sent every 10 minutes while attack continues.
  • The max /median values for any level (IP/session/host) are adjusted every 24 hours. So any changes in a particular day will reflect the next day

This is a very user friendly effective feature that would help customers block DDOS effectively. This is just a start and we will be adding more features, controls and actions that will enable even more granular configuration of DDOS protection.

Read Blog Series 1 out of 2

Best Application Security Service Provider

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

DDoS Mitigation – Why Your Traditional Security Fails?

DDoS attacks are among the most rapidly advancing type of cybercrime. Traditional DDoS mitigation is not enough to counter these attacks. Why is it so, and what is the way forward?

Spread the love

Read More
Application DDoS Protection Solution
Introducing Fully Managed Behavioural Application DDOS Protection Solution.

To accomplish complete DDoS protection, the best possible solution is a cloud WAF like AppTrana that has behavioral application DDoS protection capacity.

Spread the love

Read More


Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Know More Take Free Trial


Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!