Configuring global denial of service policy

Edit online

Configure this policy in webMethods API Gateway to prevent Denial of Service (DoS) attacks.

About this task

One form of DoS attack occurs when a client floods a server with many requests in an attempt to interfere with server processing. Using webMethods API Gateway, you can limit the number of requests that webMethods API Gateway accepts within a specified time interval and the number of requests that it can process concurrently. By specifying these limits, you can protect webMethods API Gateway from DoS attacks.

You can configure webMethods API Gateway to limit the total number of incoming requests from the external ports. For example, you might want to limit the total number of requests received to 1000 requests in 10 seconds, and limit the number of concurrent requests to 100 requests in 10 seconds. When webMethods API Gateway detects that a limit has been exceeded, it blocks the exceeding requests for a specific time interval and displays an error message to the client based on your configuration. You can also configure a list of trusted IP addresses so that the requests from these IP addresses are allowed and not blocked.

Procedure

  1. Open the menu options and click Policies.
  2. Select Threat protection > Global denial of service.
  3. Set the Enable button to the On position to enable the policy.
  4. Type the maximum number of requests, in the Maximum requests field, that the webMethods API Gateway can accept from any IP address in a given time interval.
  5. Specify time in seconds, in the In (seconds) field, in which the maximum requests must be processed.
  6. Type the maximum number of concurrent requests, in the Maximum requests in progress field, that the webMethods API Gateway can process concurrently.
  7. Specify the time in minutes, in the Block intervals (minutes) field, for which you want requests to be blocked.
  8. Type the alert message text, in the Error message field, to be displayed when the policy is breached.
  9. Add IP addresses, in the Trusted IP addresses field, that can be trusted and are allowed.

    webMethods API Gateway supports IPv4 and IPv6 addresses in the trusted IP addresses lists

    You can specify a range of IP addresses by using the classless interdomain routing \(CIDR\) notation. To specify an IP address range, type the first IP address in the range followed by a forward slash (/) and a CIDR suffix.

    Example IPv4 address range:

    • 192.168.100.0/22 represents the IPv4 addresses from 192.168.100.0 to 192.168.103.255
    • 148.20.57.0/30 represents the IPv4 addresses from 148.20.57.0 to 148.20.57.3

    Example IPv6 address range:

    • f000::/1 represents the IPv6 addresses from f000:: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
    • 2001:db8::/48 represents the IPv6 addresses from 2001:db8:0:0:0:0:0:0 to 2001:db8:0:ffff:ffff:ffff:ffff:ffff.
  10. Click Add to add more than one IP address.
  11. Click Save.