How to fine tune and adjust mitigation response

Introduction

This article will cover the steps involved in improving or making adjustments to the mitigation profile and rules. This article is aimed at existing X4B customers who need a reduction in forwarded traffic, or who are dealing with complex attacks. Normally these steps are not necessary.

Type of attack

The first step is to identify the OSI Layer the attack is occurring at.

Layer 3-5

Commonly called layer 4 internally for simplicity this this layer refers to TCP and UDP traffic received. Common attacks at this layer include TCP SYN floods and UDP amplification.

Layer 7

This layer is the application layer (i.e HTTP/HTTPS or other supported protocols). Common attacks at this level for HTTP(s) include various simple HTTP reflection attacks (i.e XMLRPC) or complex floods (e.g Botnet flood). Other Layer 7 protocols exist with similar attack surfaces. However attacks on other Layer 7 protocols are rare for properly developed server and clients. In most cases Layer 7 mitigation support is unnecessary.

Supported Protocols: - HTTP - HTTPS / TLS - FTP - SA:MP (only on UDP port 7777) - Teamspeak 3 (Coming Soon) - Source Games: HL2, Left for Dead, Counter Strike (Coming Soon)

Unfortunately it's impossible for us to support every known protocol, however we aim to support common protocols with known attack vectors. Most modern game and application servers are developed with security against DDoS attacks these days, or at-least with a reduced attack surface. Hence Layer 7 support is often not necessary (requiring just Layer 4).

Additional Mitigation

I need additional Layer 4 Mitigation

Coming Soon

I need additional Layer 7 (HTTP/HTTPS) Mitigation

The filtering page on a HTTP/HTTPs port contains many options for tuning the HTTP mitigation response.

ACLs

If you wish to reject traffic from a certain IP address, network or small list of IPs an ACL may be the right choice. ACLs can also operate in a whitelist mode if desired. Users who fail this test are shown a rejection page with no option to continue. This page can be customized in the "Error Pages" section.

Rate Limit & Connection Limit

Configurable limits can be placed on the number of requests per second, and the total number of connections that can be active from a single client (IP). Users who fail this test are shown a rejection page with only the option to refresh manually to continue. This page can be customized in the "Error Pages" section.

Please Note: Each active request on a HTTP2 (SSL) connection counts as a connection in the context of the connection Rate Limit. For this reason reasonable minimums are enforced for HTTP2 ports that are higher than the enforced minimums for HTTP (1.x) ports.

Common Search Engine spiders are exempted from these limits. Exemptions are processed based on strict verification of both the User Agent and the requesting IP address against authoritative sources.

Forcing Mitigation

Browser verification (using Javascript or CAPTCHA) can be forced using the Force mitigation functionality. Mitigation can be forced (always on) or forced if traffic rate exceeds a certain value (an automatic mode is provided for your convenience and enabled by default).

Browser verification can be completed automatically on all modern browsers including tablets and phones. The validation page shown here is the same page used for most Automatic Layer 7 mitigation actions.

When dealing with APIs and services that expect Robot requests we recommend placing your API service on a separate subdomain, port or domain and enabling "API Mode" paired with appropriate Custom Layer 7 rules to restrict traffic to the clients / agents you expect.

Layer 7 Rules

A diverse selection of Custom Layer 7 rules can be built using the language defined on the Layer 7 Rules page. The matched traffic and resulting action is entirely under your control with these rules.

Anycast vs Budget

Anycast services have substantially higher mitigation capacity for HTTP Layer 7 attacks. Particularly when it comes to attacks on HTTPS/TLS ports.

For maximum Layer 7 protection we always recommend the Standard or Premium tiers.

For more information see the Service Tiers documentation.

I need additional Layer 7 (Other) Mitigation

Firstly please ensure your port is created correctly. For example if you are running a Teamspeak 3 service, ensure that TS3 filtering is enabled at the port level.

If further mitigation is required it may be possible through carefully crafted Layer 4 rules. Please see that section.