Skip to content

How to Enable L7 (HTTP) DoS/DDoS Protection?

About

What Is L7 (HTTP) DoS/DDoS?

Layer 7 (HTTP) DoS/DDoS protection defends against DDoS (Distributed Denial of Service) or DoS (Denial of Service) attacks that occur at the application layer (Layer 7). These types of attacks attempt to disrupt or disable the normal operation of a web server or service by sending a large volume of requests or traffic, thereby overwhelming the service and making it unavailable to legitimate users.

Interface

L7 (HTTP) DoS/DDoS Protect

Step > 1

From the TR7 web management interface, follow the steps "Traffic Manager > Profiles > L7 DDoS > Add".

LOGO

Step > 2

In the opened screen, the Max L7 HTTP req/s is used to limit the maximum number of HTTP/HTTPS requests that the vService can handle. To ensure full protection on vServices, it is also recommended to apply limitations on the maximum number of connections, new connection limits, and maximum connection frequency at the vService level.

When this limit is exceeded, you can choose what happens to the client with the L7 HTTP Limit Excess option. You can display a content page by selecting Maintenance, redirect the requests to a different address by selecting Redirect, or block the requests by selecting Block.

For the DDoS activation limit, let's assume the above-given limit is 100,000 requests per second. If L7 HTTP Limit Excess is set to Block, any requests exceeding 100,000 per second will be blocked. When the DDoS activation limit is set to 1,000 and configured to show a captcha, any requests exceeding 1,000 per second will trigger a captcha, thus activating DDoS protection.

In addition to captcha, when this limit is exceeded, you can also choose to show content, redirect, or block requests with the DDoS Limit Excess option.

The number of captchas shown to clients within each 2-minute period can also be configured.

With Country-Based State Management, requests coming to the service can be restricted based on country-specific percentages.

LOGO

Step > 3

The maximum HTTP/HTTPS requests per second for each user limits the number of requests a single client can make. In this way, DoS protection is ensured by performing individual checks for each client on a single DDoS profile.

When a single client exceeds the above-given value, you can choose to show content, redirect, or block the client.

Additionally, if the user exceeds this limit, they can be added to a blacklist, effectively quarantining them.

Beyond User based max HTTP requests per second, limits can also be applied to the maximum connections or traffic.

The IP based maximum users coming from a single IP over a 1-minute period can also be limited by configuring how many different User-Agent header information entries can come from the same IP address. TR7 evaluates a user by their IP address + User-Agent information. Without such a limit, a single IP address could generate significantly more traffic using multiple User-Agents.

With blacklist and whitelist expiration settings, IP addresses can be kept on the blacklist or whitelist for a specified duration. A new DDoS profile is created by clicking the "Add" button.

LOGO

Step > 4

The edit screen of the vService, where the created DDoS profile will be activated, is opened.

Activate "Details > L7 DDoS," select the created profile, and click the "Save" button to apply the changes. DDoS protection will now be active on the relevant vService.

LOGO