Rate Control allows configuration of the maximum number of connections allowed from any specific IP address. When the Rate Control threshold is reached, the Barracuda Web Application Firewall queues further requests up to a configured threshold, then blocks further connections.
The Rate Control policy is a shareable policy for controlling the rate of request to a Web application.
A Rate Control Pool specifies the maximum number of Active Requests and Maximum Client Backlogs allowed when Active requests exceed the threshold. A set of Preferred Client IP addresses or IP address ranges can be configured with associated weights. The Barracuda Web Application
Firewall uses the weights to perform a weighted round robin scheduling between queues when forwarding requests to the application server from the rate control pool. Weights range from 1-100, 1 is the lowest priority and 100 is the highest priority.
Rate Control
A default rate control pool is provided by Barracuda Energize Updates which allows the easy set up of Rate control. To set up a customized Rate Control Pool, use ADVANCED > Libraries. WEBSITES
> Advanced Security allows rate control to be enabled by editing the default URL Policy, enabling the protection, and setting the rate control pool to the default. For more information on rate control, refer to Preventing Rate Based Attacks using Rate Control Pool on page 89. Detailed configuration instructions are available through online help for setting up Rate Control Pool and enabling rate control for the URL Policy.
Before you set up a Rate Control Pool Answer the following questions:
1. What are the maximum simultaneous requests that can be served by the resource being protected? This determines the Maximum Active Requests setting.
2. What, if any, are the bonafide gateways and mega-proxies that will be accessing the protected resources? These are Preferred Clients. If they proxy client requests, assign a suitable weight to the proxy IP address and if they relay a set of client IP addresses, then assign a weight to the range of IP addresses.
3. What is the maximum queue to allow for IP addresses not defined in Step 2? This defines the Maximum per client backlog setting.
Benefits of a Rate Control Pool
A Rate Control Pool helps defend against rate control attacks by:
• Throttling attackers attempting to flood the application with DoS attacks. The requests get queued for weighted round robin scheduling, slowing down the request rate seen by the server.
• Protecting “Load Sensitive” applications, such as search or DBMS intensive applications, from application DoS attacks.
• Allowing bonafide gateways and mega-proxies access while preventing attacks.
Scheduling algorithm for Rate Control Pool
The scheduling algorithm between queues is weighted round robin. Implicitly, the weight of each unconfigured client queue is 1. For example, a Preferred client is defined with weight 5 and at a given time the Barracuda Web Application Firewall has queues for 2 Unconfigured clients with a few requests in each. The Barracuda Web Application Firewall will serve 1 request from each unconfigured client queue followed by 5 requests from the Preferred client queue.
The rate control policies can be specified per service or per URL policy. Rate Control Pools are defined on the ADVANCED > Libraries page. These rate control pools are globally shareable among services or among URL policies or both. Once defined, they can be bound to multiple services on the BASIC > Services page, when you Edit a service. Also they can be bound to multiple URL policies on the WEBSITES > Advanced Security page, when you Edit a URL policy.
Creating Rate Control Pool
1. From the ADVANCED > Libraries Rate Control Pool use Add Rate Control Pool to set up a new rate control pool.
• Rate Control Pool Name - Enter a name for the new rate control pool.
Advanced Tuning 97
• Maximum Active Requests - Enter the maximum number of Active Requests processed at a given time by the Barracuda Web Application Firewall. An active request is a request which has not fully completed.
• Maximum per client backlog - Enter the number of requests per client IP address that will be queued when the Barracuda Web Application Firewall has reached the Maximum Active Requests limit. For example, if Maximum Per Client Backlog is set to 32 and the Barracuda Web Application Firewall is processing the default 100 Maximum Active Requests, then for any given client IP, the Barracuda Web Application Firewall will queue up to 32 requests. Any requests after that will be dropped until a request is deleted from the queue.
• Maximum Unconfigured Clients - Enter the maximum number of Unconfigured Clients. All clients which are not Preferred Clients are Unconfigured Clients. For each unique client IP, the Barracuda Web Application Firewall will maintain an individual backlog queue. For example, if Maximum Unconfigured Clients is set to 100 and Maximum Per Client Backlog is set to 32, the Barracuda Web Application Firewall will maintain 100 queues each with 32 pending requests, a total of 3200 pending requests.
2. Click Add to add the above configuration.
Use Add Preferred Clients to add a range of IP addresses to that pool which will be treated in a preferential manner. If the preferred client queue represents a range of IP addresses, the queue for preferred clients will contain the requests from all the clients falling within that range.
Creating Preferred Clients
3. Click Add Preferred Clients, under Options. The Add Preferred Client window appears.
4. Specify values for the following fields:
• Name - Enter the name for the client weight.
• Status - Sets the status of the preference. Enabling this makes the client IP address range a preferred list of IP addresses.
• Preferred Client IP Range - Enter the IP address or the range of IP addresses (For example: 10.0.0.1 – 10.0.0.10) which will be treated in a preferential manner. Preferred Client is an IP address or a range of IP addresses with an associated weight. Each Preferred client also gets a separate queue with number of entries equal to that defined in Maximum Per Client Backlog, times the weight. For example, if Maximum Per Client Backlog is set to 32 and preferred client Weight is set to 5, then the queue size will be 32 x 5.
• Weight - Enter the weight for the range of IP addresses. These IP addresses are evaluated in the order of their weights; the higher the weight the higher the precedence (1 is the lowest priority and 100 the highest priority).
5. Click Add to add the above configurations.
6. Click Edit against any Rate Control Pool to modify the configuration.
7. Click Delete to delete the created Rate Control Pool from the list.
Traffic Management 99
Chapter 10 Traffic Management
This chapter describes major traffic management features: Load Balancing, Content Rule, Caching, and Compression. The following topics are covered:
Load Balancing... 100 Content Rule ... 102 Configuring Caching ... 104 Configuring Compression ... 105
Traffic Management
The Barracuda Web Application Firewall provides traffic management features including load balancing, caching, and compression of Web site traffic to improve the performance of Web sites. It can load balance all TCP traffic in proxy deployments, and using Content Rules can implement Load Balancing, Caching, and Compression of HTTP application layer data for any deployment.
When the Barracuda Web Application Firewall is in proxy mode, all incoming TCP traffic can be distributed to balance the processing load across multiple back-end servers. Persistence is maintained for requests from the same client, and server health is monitored, so requests are served as efficiently as possible.
In addition, for HTTP data, content rules can be used to route requests to servers optimized to handle specific content types. This layer 7 load balancing is available only for HTTP data, and can be used with any deployment configuration of the Barracuda Web Application Firewall. Content rules also provide caching or compression options for matching HTTP data , which can decrease data processing demands on the Web site.
Load Balancing
A load balancer is a networking device that distributes traffic across multiple back-end servers in order to improve Web site response times. The Barracuda Web Application Firewall can act as a stand-alone load balancer or work in conjunction with other load balancers. Situated in front of back-end servers, it distributes incoming traffic across the servers using the configured algorithm. The Barracuda Web Application Firewall supports load balancing of all types of applications.
Load balancing ensures that subsequent requests from the same IP address will be routed to the same back-end server as the initial request. This guarantee of persistence requires an awareness of server health so subsequent requests are not routed to a server which is no longer responding. The Barracuda Web Application Firewall can monitor server health by tracking server responses to actual requests and marking the server as out-of-service when errors exceed a user configured threshold. In addition, the Barracuda Web Application Firewall can perform out-of-band health checks, requests created and sent to a server at configured time intervals to verify its health.
The Barracuda Web Application Firewall includes the following load-balancing features:
• Distributes traffic requests among back-end servers according to a user-configured algorithm.
• Automatically identifies server status to ensure appropriate traffic routing.
• Adds and removes servers without interrupting network traffic.
• Provides persistence support allowing a user to maintain connection integrity between client and Web service.
• Provides for configuration of a backup server, used only when all other servers being load balanced are out-of-service.
Load balancing can be configured at two levels:
• General (all TCP Traffic--layer 4)
• Content Rule (HTTP traffic only--layer 7)
The general policy is configured for a service and applies to all TCP requests to the service, while the content rule policy applies to HTTP requests matching the configured content rule only. The general and content rule configuration procedures are identical. There are three steps to configure load balancing on a Barracuda Web Application Firewall:
Traffic Management 101
• Configure a persistence method to maintain the integrity of stored state information.
• Configure a failover method to handle requests for a server which is down.
General load balancing, routing requests to back-end servers based on a user configured algorithm, is configured for a service. From BASIC > Services, choose Edit under Options for the service. Choose the Algorithm, Persistence Method, and Failover Method. The algorithm determines where the first request from a source IP address is routed. Future requests from the same client will be routed to the same server according to the configured Persistence method. Failover Method only applies when the persisted server is “out-of-service”. For detailed instructions to configure load balancing, see online help.