Skip to content

L7 DDOS

About

DOS and DDOS attacks often lead to partial or complete disruption of services or service interruptions for organizations. DOS and DDOS protection systems are multi-layered and dynamic mechanisms that continuously learn and evaluate network traffic, blocking harmful traffic while allowing harmless traffic. They provide active protection with behavioral modelling. Fully preventing DDOS attacks using WAF (Web Application Firewall) is not entirely possible. However, it is crucial for the WAF product to continue providing service during and after a DDOS attack.

Basic DDOS Attack Types

  • Network Level
  • Reflective/Amplified
  • Fragmentation
  • Application Specific
  • Crafted

It is not entirely possible to prevent DDOS with WAF (Web Application Firewall). However, what is important is that the WAF product can continue to provide service during/after the DDOS attack.

For example, with WAF, blocking can be done based on the number of HTTP requests by clients according to authorized/unauthorized session statuses, the number of erroneous requests they can make within a certain time period, and the number of connections they can make. Additionally, protection at the L7 (HTTP) level can be achieved using special algorithms that control human user behaviour, along with basic HTTP protocol timeout values.

How to Add?

To add a new L7 DDOS Profiles, navigate to the Traffic Manager > Profiles > L7 DDOS > Add tab from the TR7 ASP web interface.

Interface

L7 DDOS Profiles Listing Screen

By following "Traffic Manager > Profiles > L7 DDOS" you can access a list of all L7 DDOS Profiles on the TR7 ASP device. On this screen, L7 DDOS Profiles can be added, edited, and deleted.

LOGO

L7 DDOS Profiles Listing Form

- 1 (Information to be Displayed in the Table)

Select which information to display in the table listing the L7 DDOS Profiles.
The selectable and default information includes;

  • DDOS Profile Name
  • Max L7 HTTP(s) Requests
  • L7 HTTP Limit Excess
  • DDOS Activation Limit
  • DDOS Limit Excess

- 2 (Add)

Click the Add button to open a form for creating a new DDOS Profiles.

- 3 (Delete)

One or more L7 DDOS Profiles can be selected and deleted by clicking the Delete button.

- 4 (Edit)

Click the Edit button to open the editing screen for the relevant DDOS Profiles.

- 5 (Search)

Used to search for all expressions in the table.

- 6 (RegExp Search)

Used to regexp search for all expressions in the table.

- 7 (Column Based Search)

Used to column based search for all expressions in the table.

- 8 (Usage Filter)

Used to filter which vServices all expressions in the table are used in.

- 9 (Page Information)

Information about how many L7 DDOS Profiles are listed and how many are in the opened list. When L7 DDOS Profiles are selected on the left side for deletion, the information about the selected DDOS Profiles is also displayed here.

- 10 (Page Size)

Select how many L7 DDOS Profiles will be listed in the opened list. You can switch between pages using arrow symbols.

- Preview of the Selected L7 DDOS Profiles

After following "Traffic Manager > Profiles > DDOS" clicking on any profile opens a window on the right side of the screen with information about the relevant profile.

LOGO

This window also provides information about "Used In". For instance, the "DDOS_1" L7 DDOS profile is used in the "www.tr7.com" vService.

The preview can be closed by clicking the (x) button at the top right of the opened window.

Interface

L7 DDOS Profiles Adding Form

A new DDOS Profiles is added to the TR7 ASP device by following "Traffic Manager > Profiles > L7 DDOS > Add".

LOGO

L7 DDOS Profiles Adding Form

- DDOS Profile Name

Enter a name for the new L7 DDOS Profiles.

- Max. L7 HTTP(s) Requests

Set the maximum number of HTTP/HTTPS requests per second that the vService can handle. To fully protect the vService, it is also recommended to set limits in vService Limits such as maximum connection count, new connection limit, maximum connection frequency.

- L7 HTTP Limit Excess

Choose what to do when the above limit is exceeded. You can select, Maintenance to show a content, redirect to redirect to an address or block to block the incoming requests.

LOGO

When Maintenance is selected and the limit is exceeded, a Content Page to be shown to the client is chosen from the L7 HTTP Content tab.

LOGO

By selecting Block, when the limit is exceeded, the client is blocked directly.

By selecting Redirect, when the limit is exceeded, the client is redirected to the URL entered in the L7 HTTP Limit Excess - Redirect URL tab.

LOGO

- DDOS Activation Limit

The DDOS activation threshold is set for the given limit. For example, let's assume the limit is one million HTTP(s) req/s per second. If 'Block' is selected for L7 HTTP Limit Excess, any HTTP/HTTPS requests exceeding one million per second will be blocked. If the DDOS activation limit is set at 700,000 and configured to show a captcha, then captcha will be shown to requests exceeding 700,000 per second, activating DDOS protection.

- DDOS Limit Excess

When the above limit is exceeded, actions such as showing content to the client with maintenance option, redirecting to another address or showing captcha can be performed for DDOS Limit Exceedance.

LOGO

When Maintenance is selected and the limit is exceeded, a Content Page to be shown to the client is chosen from the DDOS Content tab.

LOGO

By selecting Redirect, when the limit is exceeded, the client is redirected to the URL entered in the DDOS Limit Excess - Redirect URL tab.

LOGO

When Show CAPTCHA is selected, Captcha verification is shown to the client. Captcha is displayed according to the value entered in the Number of Shown Captchas/2min tab.

LOGO

The image of the page that the client will see through the browser when the Captcha is shown to the client;

LOGO

LOGO

- Country Based State Management

Requests to the service can be limited based on country with percentage ratios. For example, traffic can be primarily allocated with limits like 65% for Turkey, 15% for local networks. Very low percentages can be given to countries where DDOS attacks are likely to originate, like China, the USA, Russia, with the remaining percentage allocated to other countries.

LOGO

- User based Max HTTP(s) Requests

Limits the maximum number of HTTP/HTTPS requests per user. This way, DoS protection can be provided individually for each client on a single DDOS profile.

- User Based Limit Excess

When a single client exceeds the given value, actions such as showing content, redirecting, or blocking can be performed.

LOGO

When Maintenance is selected and the limit is exceeded, a User Based Limit Excess Content to be shown to the client is chosen.

LOGO

By selecting Block, when the limit is exceeded, the client is blocked directly.

By selecting Redirect, when the limit is exceeded, the client is redirected to the URL entered in the User Based Limit Excess - Redirect URL tab.

LOGO

- Blacklist on User Based Limit Excess

Automatically adds the user to the Blacklist if they hit the limit.

- User Based Max Connections

Enter the maximum number of new connections each user can make.

- Used based max traffic

Enter the maximum traffic each user can make.

As Kbps.

As Mbps.

As Gbps.

- IP Based Max Users/1min

Limits how many different User-Agent headers can come from the same IP address in one minute. TR7 ASP evaluates a user based on their IP address + User-Agent information. Without such a limit, much more traffic can be generated from a single IP address with different User-Agents.

- Blacklist Timeout

Enter how long a user added to the Blacklist will stay there in seconds, minutes, hours.

As Seconds.

As Minutes.

As Hours.

- Whitelist Timeout

Enter how long a user added to the Whitelist will stay there in seconds, minutes, hours.

As Seconds.

As Minutes.

As Hours.

- Add

Click the Add button to add the L7 DDOS Profiles.

Interface

How to Add a L7 DDOS Profiles to the vService?

Step > 1

First, follow "Settings Mode > vServices" on the TR7 web interface.

Step > 2

On the resulting screen, right-click the vService to which the L7 DDOS Profiles will be added and select "Edit" or click on the relevant vService and follow "Actions > Edit" from the pane that opens on the right to reach the same window.

Step > 3

In the vService's editing screen, select "Details > L7 DDOS" to activate the DDOS profile. Default profile can be used when it is first activated.

LOGO

Step > 4

To use a previously added profile other than the Default profile or to add a new profile, click the arrow next to the profile. Selections can be made from existing profiles.

LOGO

Click the Add" button to add a new L7 DDOS Profiles on the vService screen.

LOGO

After selecting a profile, DDOS Whitelist and DDOS Blacklist information can be edited on the vService screen. By default, these options are not selected.

LOGO

Activate to enter the desired Whitelist and Blacklist IP addresses.

Warning

The IP addresses that can be entered include single IP addresses like "1.1.1.1" or network ranges like "5.5.5.0/24". Multiple IP addresses can be added by clicking the (+) button on the right.

LOGO

Step > 5

Click the "Save" button to save the changes and wait for the reconfiguration of the vService.