Configuring Denial of Service by IP Policy
This policy is configured to ensure that requests from trusted IPs are not denied. You can configure a list of IP addresses so that requests from these IP addresses are always allowed. You can configure a time interval for the maximum number of requests that can be processed from an IP address or a range of IP addresses and when this limit of maximum number is exceeded the IP is moved to the Denied IP List.
To configure the denial of service by IP policy
1. Click Policies in the title navigation bar.
2. Select Threat protection > Denial of service by IP.
3. Set the Enable button to the On position to enable the policy.
4. Type the maximum number of requests, in the Maximum requests field, that API Gateway can accept from a specific IP address in a given time interval.
5. Specify time in seconds, in the In (seconds) field, in which the maximum requests have to be processed.
6. Type the maximum number of requests, in the Maximum requests in progress field, that API Gateway can process concurrently from any single IP address.
7. Select one of the following actions to be taken when the number of requests from a non-trusted IP address exceeds the specified limits:
Add to deny list to permanently deny future requests from the IP address.
Block temporarily block requests from this IP address.
8. Type the alert message text, in the Error message field, to be displayed when the policy is breached.
9. Add IP addresses, in the Trusted IP Addresses field, that can be trusted and not blocked.
API Gateway supports IPv4 and IPv6 addresses in the trusted IP addresses lists.
You can specify a range of IP addresses using the classless inter-domain routing (CIDR) notation. To specify an IP address range, type the first IP address in the range followed by a forward slash (/) and a CIDR suffix
Example IPv4 address range:
192.168.100.0/22 represents the IPv4 addresses from 192.168.100.0 to 192.168.103.255
148.20.57.0/30 represents the IPv4 addresses from 148.20.57.0 to 148.20.57.3
Example IPv6 address range:
f000::/1 represents the IPv6 addresses from f000:: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
2001:db8::/48 represents the IPv6 addresses from 2001:db8:0:0:0:0:0:0 to 2001:db8:0:ffff:ffff:ffff:ffff:ffff.
Click
to add more than one IP address.
10. Click Save.