L7 DoS (L7 Denial of Service)
Layer 7 DoS¶
Layer 7 DoS attacks are targeted at depleting web server resources, affecting service availability by sending many HTTP requests. The feature provided by the Valtix Gateways enables the monitoring, detection and remediation of application layer attacks by continuously monitoring the client requests to a backend web server. This feature is enabled when the Gateways are enabled to proxy inbound connections to a backend web service. Enabling this feature also allows the Gateways to add security depth for cases where a frontend load balancer may not support, or, may not be optimized to detect and remediate against application DoS attacks.
This feature can be applied to backend web services to maintain availability of web based applications and also can be used to provide DoS protection against backend web servers hosting API services.
Create L7DoS Profile¶
- Navigate to Manage -> Profiles -> Web Protection
- Click Create Protection Profile
- Select Layer 7 DOS
- Provide a name and description
- Add Request Rate Limits
Limiting excessive requests to a resource is based on the following parameters. The values for these parameters should be based on measuring and understanding the traffic patterns for your web services to be protected by the Layer 7 DOS option.
Parameters¶
Parameter | Description |
---|---|
URI | A relative URI used to indicate the path to limit requests for a resource. For example, if you intend to monitor and protect your service resource at https://www.example.com/login.html , you would enter /login.html as the URI parameter in the Request Rate Limits table. |
HTTP Methods | HTTP methods can be specified per-resource URI to control which HTTP methods in the client requests are rate limited and which ones are not. You can select multiple methods from the drop down for each row in the table. An empty HTTP method list means that method is ignored and the rate applies to all calls to the resource. Note: The rate is applied per-resource; therefore, multiple methods share the rate limit specified in the Request Rate in that row. For example, if the rate is 3 requests per second, and GET, POST and PUT are specified in the HTTP Methods, and 2 GETs and 1 POST happen to that URI from a single client IP in the same second, a PUT will NOT be allowed in that same second. |
Request Rate | The number of requests per second. It determines the rate at which a single client can send requests to the URI resource mentioned in the URI part of the rule. |
Burst Size | Specifies the maximum number of simultaneous requests that a client can send to the URI resource mentioned in the URI part of the rule. Any requests beyond this threshold, arriving at the proxy at the same time, will not be sent to the backend server. |
- Click Save when completed.
Tech Notes
The order of the rules is important based on the URI as the rules are checked from the top down and applied on first match. If the URI added higher in the list includes a resource path that includes resources in the rules below it, the first rule matched will be applied.
Example¶
Two (2) web service resources are protected:
- /login.html is limited to a smaller rate and burst size, and both GET and POST methods share the rate as explained above. All other methods are allowed without any rate limiting applied to them.
- /index.html is limited to a larger rate and burst size, and only GET calls are rate limited.
Service Object Association¶
Once the Layer 7 DOS Protection Profile has been created, it needs to be associated with the ReverseProxy Service Object representing the listener and the connection to the backend server address.
Associate Profile with a Policy Rule¶
Check this document to create/edit Policy Rules