Configuring Denial of Service by IP Policy

Edit online

About this task

You can configure this policy in API Gateway to prevent Denial of Service (DoS) attacks. One form of DoS attack occurs when a particular client floods a server with many requests in an attempt to interfere with server processing and not letting other clients in accessing the server. Using Denial of Service (DoS) by IP policy, you can limit the number of requests that API Gateway accepts from a particular IP address within a specified time interval and the number of requests that it can process concurrently from any IP address. By specifying these limits, you can protect API Gateway from DoS attacks by a particular IP address. When API Gateway detects that a limit has been exceeded, it blocks or denies the requests from that particular IP address and displays an error message to the client based on your configuration. You can also configure a list of trusted IP addresses so that the requests from these IP addresses are always allowed and not denied.
Note:

When you configure a load balancer, you need to insert the XFF headers on the load balancer to track the actual client IP address. When you use Load Balancer for high availability between the API Gateway instances, by default for all the incoming request, the source IP address will be the load balancer's IP address instead of the actual client IP address. In such scenario, when the Denial of Service by IP policy is enforced, all incoming requests will be denied irrespective of the problematic client. So, to prevent DoS attack from a problematic client, you need to consider the XFF headers that are inserted on the load balancer. This is achieved by setting watt.server.enterprisegateway.ignoreXForwardedForHeader property to false. When this setting is configured, the incoming request header will have the XFF header and tracks actual client IP address, which in turn allows you to configure DoS by IP.

To configure the denial of service by IP policy

Procedure

  1. Click Policies in the title navigation bar.
  2. Select Threat protection > Denial of service by IP.
  3. Set the Enable button to the On position to enable the policy.
  4. Type the maximum number of requests, in the Maximum requests field, that API Gateway can accept from a specific IP address in a given time interval.
  5. Specify time in seconds, in the In (seconds) field, in which the maximum requests have to be processed.
  6. Type the maximum number of requests, in the Maximum requests in progress field, that API Gateway can process concurrently from any single IP address.
  7. Select one of the following actions to be taken when the number of requests from a non-trusted IP address exceeds the specified limits:
    • Add to deny list to permanently deny future requests from the IP address.
    • Block temporarily block requests from this IP address.
  8. Type the alert message text, in the Error message field, to be displayed when the policy is breached.
  9. Add IP addresses, in the Trusted IP Addresses field, that can be trusted and not blocked.
    • API Gateway supports IPv4 and IPv6 addresses in the trusted IP addresses lists.
    • You can specify a range of IP addresses using the classless inter-domain routing (CIDR) notation. To specify an IP address range, type the first IP address in the range followed by a forward slash (/) and a CIDR suffix

      Example IPv4 address range:

      • 192.168.100.0/22 represents the IPv4 addresses from 192.168.100.0 to 192.168.103.255
      • 148.20.57.0/30 represents the IPv4 addresses from 148.20.57.0 to 148.20.57.3

      Example IPv6 address range:

      • f000::/1 represents the IPv6 addresses from f000:: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
      • 2001:db8::/48 represents the IPv6 addresses from 2001:db8:0:0:0:0:0:0 to 2001:db8:0:ffff:ffff:ffff:ffff:ffff.
    Click to add more than one IP address.
  10. Click Save.