Blog Series 2 out of 2
In the last blog, we saw why static rate limits do not work and why behavioural DDOS is required.
Now, let’s investigate how these policies work. As mentioned, when a site is onboarded, there are 3 policies that are configured by default. We call them System defined Protection policies-
Host level Policy:
This is an informational policy that will notify when requests goes beyond a certain level. By default, it is configured to trigger when requests go above 200% of normal max. Max is the maximum requests seen on the application in a minute in last 7 days. This max is calculated every day and adjusted based on application behaviour. So if there is natural variance in the site, it will automatically be accounted for and tuned. By default, notification goes to the website admin and if website admin is not configured then mail is sent to super admin.
This is a good informational level settings that can be used as early warning on increase on load to the system. It should be noted that this does not block any requests at any point, it just tells you that considering the site behaviour in 7 days, the request volume seems to be unusual. It can be used for automating scaling of origin. This notification is also shared to Indusface managed service team who will monitor the site traffic and see if any further action are required.
IP Level Policy.
This policy is a IP level behaviour rate limiting rule. By default, policy is configured to block requests from an IP if the volume of requests from that IP is more than 200% of last 7 days maximum of any IP. For example, suppose the application normal max seen is 100 requests per minute, and all of a sudden we see 200 requests in a minute from 1 particular IP then it will be blocked.
This IP level policy will only apply when the requests do not honour cookies and requests are not tracked at a session level. So if there are 1000 requests from an IP, but 800 requests honour cookies then those requests are not considered in the IP level policy. By default these are configured to block and notify website admin. This can be changed as per customers need.
Session Level Policy.
For requests which honour cookies, session level rate limits will be applied. Here, the default configuration is to block if number of requests from a session increases beyond 150% of last 7 days maximum. If typically a user sends 20 requests per minute but all of sudden starts sending 31 requests per minute then they will be blocked.
Session rules and IP rules work together, one is not a replacement of another , both should be enabled for an application to get maximum protection.
User Configurations:
Users are provided various controls.
Additional Behaviours:
This is a very user friendly effective feature that would help customers block DDOS effectively. This is just a start and we will be adding more features, controls and actions that will enable even more granular configuration of DDOS protection.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
This post was last modified on January 1, 2024 19:45
Explore crucial tactics like Asset Inventory, Patch Management, Access Control & Authentication, and additional best… Read More
Delve into the data privacy questions including consent protocols, data minimization strategies, user rights management,… Read More
Secure Node.js APIs using best practices: Employ proper HTTP methods, robust authentication, and API-specific security… Read More