Configuring Global Denial of Service Policy

Edit online

About this task

You can configure this policy in API Gateway to prevent Denial of Service (DoS) attacks. One form of DoS attack occurs when a client floods a server with many requests in an attempt to interfere with server processing. Using API Gateway, you can limit the number of requests that API Gateway accepts within a specified time interval and the number of requests that it can process concurrently. By specifying these limits, you can protect API Gateway from DoS attacks.

You can configure API Gateway to limit the total number of incoming requests from the external ports. For example, you might want to limit the total number of requests received to 1000 requests in 10 seconds, and limit the number of concurrent requests to 100 requests in 10 seconds. When API Gateway detects that a limit has been exceeded, it blocks the exceeding requests for a specific time interval and displays an error message to the client based on your configuration. You can also configure a list of trusted IP addresses so that the requests from these IP addresses are always allowed and not blocked.

To configure global denial of service policy

Procedure

  1. Click Policies in the title navigation bar.
  2. Select Threat protection > Global denial of service.
  3. Set the Enable button to the On position to enable the policy.
  4. Type the maximum number of requests, in the Maximum requests field, that API Gateway can accept from any IP address in a given time interval.
  5. Specify time in seconds, in the In (seconds) field, in which the maximum requests have to be processed.
  6. Type the maximum number of concurrent requests, in the Maximum requests in progress field, that API Gateway can process concurrently.
  7. Specify the time in minutes, in the Block intervals (minutes) field, for which you want requests to be blocked.
  8. Type the alert message text, in the Error message field, to be displayed when the policy is breached.
  9. Add IP addresses, in the Trusted IP addresses field, that can be trusted and are always allowed.
    • API Gateway supports IPv4 and IPv6 addresses in the trusted IP addresses lists.
    • You can specify a range of IP addresses using the classless inter-domain routing (CIDR) notation. To specify an IP address range, type the first IP address in the range followed by a forward slash (/) and a CIDR suffix.

      Example IPv4 address range:

      • 192.168.100.0/22 represents the IPv4 addresses from 192.168.100.0 to 192.168.103.255
      • 148.20.57.0/30 represents the IPv4 addresses from 148.20.57.0 to 148.20.57.3

      Example IPv6 address range:

      • f000::/1 represents the IPv6 addresses from f000:: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
      • 2001:db8::/48 represents the IPv6 addresses from 2001:db8:0:0:0:0:0:0 to 2001:db8:0:ffff:ffff:ffff:ffff:ffff.
    Click to add more than one IP address.
  10. Click Save.