Denial of Service

Supported Versions: 9.12 & above

Introduction

On the Internet, a denial of service (DoS) attack is an incident in which an organization is deprived of the services of a resource and  and congesting it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP / IP protocols.

To avoid this kind of attacks, API Gateway Threat Protection provides the capability of Denial of Service Protection. An administrator can configure the DOS protection to restrict the requests entering the system and thereby preventing the attackers from depleting the resources of the organization.

To add more flexibility and granular protection, API Gateway supports two types of DOS protection

  • Global Denial of Service
  • Denial of Service by IP

 The Administrator can configure this protection under the Policies section in API Gateway.

Global Denial of Service

Global Denial of Service protection is a global entity and it is applied to all the requests irrespective of IP, region or request type. 

The parameter details are as follows:

Field Description
Maximum Requests and  In(seconds) Indicates the maximum number of requests allowed for the configured interval of time. If the number of requests exceeds this limit in the specified interval, all the requests will be rejected.
Maximum Requests in Progress Indicates the maximum number of concurrent requests that the server processes at any point in time. This is to secure the system when it receives a sudden burst of requests and depleting the resources.
Block Interval
When there is a violation of the configured protection, then the system moves into a safe mode where  all the incoming requests are blocked for the configured interval of time. After that system resumes the request processing task.
Error Message The message that is sent as the response when the request is rejected because of the protection added.
Trusted IP Address A list of IPs that the administrator can add for which this protection does not apply. It is a white-list which is excluded from this protection check until the IP is removed from the list. 

Denial of Service by IP

Denial of Service by IP protection is an IP specific protection and it is applied to all the requests.

The parameter details are as follows:

Field Description
Maximum Requests and  In(seconds) Indicates the maximum number of requests allowed for the configured interval of time. If the number of requests exceeds this limit in the specified interval, all the requests will be rejected.
Maximum Requests in Progress Indicates the maximum number of concurrent requests that the server processes at any point in time. This is to secure the system when it receives a sudden burst of requests and depletes the resources.
Action when limit exceeds Indicates the action, whether to block the IP or permanently blacklist the IP, which has be taken when a violation occurs.
Add to Deny List The request originating IP will be added to a deny list permanently unless the Administrator decides to remove it. Once an IP violates the protection and is moved to to the Denied IPs list it cannot access the server anymore unless it is removed from the list.
Block Interval &Block Interval(minutes) In this case, the IP from which the request originates is blocked for a specific interval of time and its restriction will be revoked automatically after the time period. 
Error Message This is the message which is sent as the response when the request is rejected because of the protection added.
Trusted IP Address The Administrator can add a list of IP's for which this protection will not be applied. It is a white-list which is excluded from this protection check until the IP is removed from the list.

Denied IPs

Denied IPs holds the list of IP addresses which violated the Denial of service by IP protection. The Administrator investigates the IP address to check
whether it can be trusted or not.If the Ip comes across as a reliable one, it can then be removed from the list.

Runtime

Test Steps - Global Denial of Service:

  1. Configure a Global Denial of Service with 
    • Maximum Requests - 5
    • In Seconds - 20
    • Maximum Request in Progress - 2
    • Block Interval - 1
    • Error Message  -"Receiving too many requests. Rejecting all the requests"
    • Trusted IP - 127.0.0.1
  2. Enable the configurations and click save.
  3. Once the rule is successfully saved, invoke any one of the API running on that server.
  4. After 5 requests the client should the error message configured as the response with the response code as 403.

 The screenshot shows the error message from the client when the Global Denial of Service Protection is violated for a request 

All the IP's ( * ) are added to the denied list

Test Steps - Denial of Service by IP:

  1. Configure a Denial of Service by IP with 
    • Maximum Requests - 5
    • In Seconds - 20
    • Maximum Request in Progress - 2
    • Block Interval - 1
    • Error Message  -"Too many requests from this IP. BLocking this IP for further access"
    • Trusted IP - 127.0.0.1
  2. Enable the configurations and click save.
  3. Once the rule is successfully saved, invoke any one of the API running on that server.
  4. After 5 requests the client should the error message configured as the response with the response code as 403.
  5. Invoking the same API from other IP or the trusted IP should give a successful response.

The screenshot shows the error message from the client when the Denial of Service by IP Protection is violated for a request

The request originating IP is added to the denied list