Configuring Global Denial of Service Policy
You can configure this policy in API Gateway to prevent Denial of Service (DoS) attacks. One form of DoS attack occurs when a client floods a server with many requests in an attempt to interfere with server processing. Using API Gateway, you can limit the number of requests that API Gateway accepts within a specified time interval and the number of requests that it can process concurrently. By specifying these limits, you can protect API Gateway from DoS attacks.
You can configure API Gateway to consider the total number of requests from all IP addresses, or to consider the number of requests from individual IP addresses. For example, you might want to limit the total number of requests received to 10 requests in 10 seconds, and limit the number of requests coming from any single IP address to 2 requests in 10 seconds. When API Gateway detects that a limit has been exceeded, it sends an alert. Depending on your configuration, API Gateway can temporarily block requests from all clients, or deny requests from particular IP addresses.
To configure global denial of service policy
1. Click Policies in the title navigation bar.
2. Select Threat protection > Global denial of service.
3. Set the Enable button to the On position to enable the policy.
4. Type the maximum number of requests, in the Maximum requests field, that API Gateway can accept from a specific IP address in a given time interval.
5. Specify time in seconds, in the In (seconds) field, in which the maximum requests have to be processed.
6. Type the maximum number of requests, in the Maximum requests in progress field, that API Gateway can process concurrently from any single IP address, .
7. Specify the time in minutes, in the Block intervals (minutes) field, for which you want requests to be blocked.
8. Type the alert message text, in the Error message field, to be displayed when the policy is breached.
9. Add IP addresses, in the Trusted IP addresses field, that can be trusted and are always allowed.
API Gateway supports IPv4 and IPv6 addresses in the trusted IP addresses lists.
You can specify a range of IP addresses using the classless inter-domain routing (CIDR) notation. To specify an IP address range, type the first IP address in the range followed by a forward slash (/) and a CIDR suffix.
Example IPv4 address range:
192.168.100.0/22 represents the IPv4 addresses from 192.168.100.0 to 192.168.103.255
148.20.57.0/30 represents the IPv4 addresses from 148.20.57.0 to 148.20.57.3
Example IPv6 address range:
f000::/1 represents the IPv6 addresses from f000:: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
2001:db8::/48 represents the IPv6 addresses from 2001:db8:0:0:0:0:0:0 to 2001:db8:0:ffff:ffff:ffff:ffff:ffff.
Click
to add more than one IP address.
10. Click Save.