Use the HTTP Mitigator Advanced Profiles pane to configure an HTTP Flood Mitigation profile with advanced parameters.
HTTP Flood Mitigation profiles defend the applications in your network against server flooding. Server flood attacks are aimed at specific servers causing denial of service at the server level. These types of attacks disrupt a server by sending more requests than the server can handle, thereby preventing access to a service.
Server attacks differ from network-flood attacks either in the attack volume or in the nature of the requests used in the attack. Server flood attacks use legitimate requests that cannot be distinguished from regular customer requests.
Before you configure an HTTP Flood profile, ensure that HTTP mitigation is enabled and the global parameters are configured.
To configure an HTTP Flood Mitigation profile with advanced parameters
1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Advanced > Profiles Configuration.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set.
DDoS Protector Web Based Management User Guide | 83
Parameter Description
Profile Name The name of the profile.
Sensitivity When User-Defined Attack Triggers are not used, this parameter specifies how sensitive the profile is to deviations from the baseline. High specifies that the profile identifies an attack when the device detects only a small deviation from the baselines. Values: minor low medium high Default: medium
Action The action that the profile takes when the profile detects suspicious traffic. Values:
Block and Report—Blocks and reports on the suspicious traffic. Report Only—Reports the suspicious traffic.
Default: Block and Report User Defined Attack
Triggers
Specifies whether the profile uses static, user-defined thresholds to identify when an attack is in progress or checks the server traffic and compares the traffic behavior to the baseline to identify when an attack is in progress. Values: inactive, active
Default: inactive Get and POST
Request-Rate Trigger
The maximum number of GET and POST requests allowed, per server per second.
Values:
0—The profile ignores the threshold. 1 – 4,294,967,296
Default: 0 Other Request-type
Request-Rate Trigger
The maximum number of requests that are not GET or POST (for example, HEAD, PUT, and so on) allowed, per server per second.
Values:
0—The profile ignores the threshold. 1 – 4,294,967,296
Default: 0
Caution: If Outbound HTTP BW Trigger is enable and Other Request-type Request-Rate Trigger is disable, an attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption. An attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption also if Outbound HTTP BW Trigger is enable and Other Request-type Request-Rate Trigger is enable too but the rate does not exceed the threshold. The high
outbound HTTP bandwidth consumption may cause the Outbound HTTP BW Trigger mechanism to consider the attack to be an anomaly, and the profile will not mitigate it.
Outbound HTTP BW Trigger
The maximum allowed bandwidth, in kilobits per second, of HTTP responses. Values:
0—The profile ignores the threshold. 1 – 4,294,967,296
Default: 0 Request-per-Source
Trigger
The maximum number of requests allowed per source IP per second. Values:
0—The profile ignores the threshold. 1 – 4,294,967,296
Default: 5 Request-per-
Connection Trigger
The maximum number of requests allowed from the same connection. Value:
0—The profile ignores the threshold. 1 – 4,294,967,296
Default: 5 Request-Rate
Threshold
The number of HTTP requests per second from a source that causes the profile to consider the source to be suspicious.
Values: 1 – 65,535 Default: 5
Request-per-
Connection Threshold
The number of HTTP requests for a connection that causes the profile to consider the source to be suspicious.
Values: 1 – 65,535 Default: 5
Packet Trace Specifies whether the profile sends attack packets to the specified physical port.
Values: enable, disable Default: disable
Note: A change to this parameter takes effect only after you update policies. Source Challenge
Status
Specifies whether the profile challenges HTTP sources that match the real-time signature.
Values: enable, disable Default: enable
DDoS Protector Web Based Management User Guide | 85 Collective Challenge
Status
Specifies whether the profile challenges all HTTP traffic toward the protected server.
Values: enable, disable Default: enable
Source Blocking Status
Specifies whether the profile blocks all traffic from the suspect sources. Values: enable, disable
Default: enable
Challenge Mode Specifies how the profile challenges suspect HTTP sources. Values:
HTTP Redirect—The device authenticates HTTP traffic using a 302- Redirect response code.
JavaScript—The device authenticates HTTP traffic using a JavaScript object generated by the device.
Default: HTTP Redirect
Notes:
Some attack tools are capable of handling 302-redirect responses. The HTTP Redirect Challenge Mode is not effective against attacks that use those tools. The JavaScript Challenge Mode requires an engine on the client side that supports JavaScript, and therefore, the JavaScript option is considered stronger. However, the JavaScript option has some limitations, which are relevant in certain scenarios.
Limitations when using the JavaScript Challenge Mode:
If the browser does not support JavaScript calls, the browser will not answer the challenge.
When the protected server is accessed as a sub-page through another (main) page only using JavaScript, the user session will fail (that is, the browser will not answer the challenge.) For example, if the protected server supplies content that is requested using a JavaScript tag, the DDoS Protector JavaScript is enclosed within the original JavaScript block. This violates JavaScript rules, which results in a challenge failure. Example: The request in bold below accesses a secure server:
<script> setTimeout(function(){ var js=document.createElement("script"); js.src="http://mysite.site.com.domain/service/appMy.jsp?dl id=12345"; documentational"head")[0].appends); },1000); </script>
The returned challenge page contains the <script> tag again, which is illegal, and therefore, it is dropped by the browser without making the redirect.
Other Requests Decision Engine
Specifies whether the profile identifies an HTTP flood attack when the rate of requests that are not GET or POST requests exceeds the learned baseline.
Values: enable, disable Default: enable
Caution: If Outbound BW Decision Engine is enable and Other Requests Decision Engine is disable, an attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption. An attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption also if Outbound BW Decision Engine is enable and Other Requests Decision Engine is enable too but the rate does not exceed the threshold. The high outbound HTTP bandwidth consumption may cause the Outbound HTTP Bandwidth mechanism to consider the attack to be an anomaly, and the profile will not mitigate it. Requests per source
Decision Engine
Specifies whether the profile identifies an HTTP flood attack when the rate of requests per source exceeds the learned baseline.
Values: enable, disable Default: enable
Get and POST global requests Decision Engine
Specifies whether the profile identifies an HTTP flood attack when the rate of GET and POST requests exceeds the learned baseline.
Values: enable, disable Default: enable
Outbound BW Decision Engine
Specifies whether the profile identifies an HTTP flood attack when the outbound HTTP bandwidth exceeds the learned baseline.
Values: enable, disable Default: enable
Requests per connection Decision Engine
Specifies whether the profile identifies an HTTP flood attack when the rate of requests per connection exceeds the learned baseline.
Values: enable, disable Default: enable