Configuring denial of service by IP policy

Edit online

Configure this policy in webMethods API Gateway to prevent Denial of Service (DoS) attacks for the specified IPs.

About this task

A DoS attack occurs when a client floods a server with requests, disrupting server processing and blocking other clients from accessing it. Using the Denial of Service (DoS) by IP policy, you can limit the number of requests webMethods API Gateway accepts from a particular IP address within a specified time interval. You can limit the number of requests it can process concurrently from any IP address. By specifying these limits, you can protect webMethods API Gateway from DoS attacks by a particular IP address. When webMethods API Gateway detects that a limit has been exceeded, it blocks or denies the requests from that particular IP address. It displays an error message to the client based on your configuration. You can also configure a list of trusted IP addresses so that the requests from these IP addresses are allowed and not denied.

Note: To configure the denial of service by IP policy, you must set the watt.server.enterprisegateway.ignoreXForwardedForHeader property to false. When this setting is configured, the incoming request header has the XFF header and tracks the actual client IP address, which in turn allows you to configure DoS by IP.

Procedure

  1. Open the menu options and click Policies.
  2. Select Threat protection > Denial of service by IP.
  3. Set the Enable button to the On position to enable the policy.
  4. Type the maximum number of requests, in the Maximum requests field, that an webMethods API Gateway can accept from a specific IP address in a given time interval.
  5. Specify time in seconds, in the In (seconds) field, in which the maximum requests must be processed.
  6. Type the maximum number of requests, in the Maximum requests in progress field, that the webMethods API Gateway can process concurrently from any single IP address.
  7. Select one of the actions to be taken when the number of requests from a nontrusted IP address exceeds the specified limits such as:
    • Add to deny list. To permanently deny future requests from the IP address.
    • Block. To temporarily block requests from this IP address
  8. Type the alert message text, in the Error message field, to be displayed when the policy is breached.
  9. Add IP addresses, in the Trusted IP Addresses field, that can be trusted and not blocked.

    webMethods API Gateway supports IPv4 and IPv6 addresses in the trusted IP addresses lists. * You can specify a range of IP addresses by using the classless interdomain routing \(CIDR\) notation. To specify an IP address range, type the first IP address in the range followed by a forward slash \(/\) and a CIDR suffix.

    Example IPv4 address range:

    • 192.168.100.0/22 represents the IPv4 addresses from 192.168.100.0 to 192.168.103.255
    • 148.20.57.0/30 represents the IPv4 addresses from 148.20.57.0 to 148.20.57.3

    Example IPv6 address range:

    • f000::/1 represents the IPv6 addresses from f000:: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
    • 2001:db8::/48 represents the IPv6 addresses from 2001:db8:0:0:0:0:0:0 to 2001:db8:0:ffff:ffff:ffff:ffff:ffff.
  10. Click Add to add more than one IP address.
  11. Click Save.