When onboarding an application onto Imperva Cloud Waf setting the correct DDoS value may be key to a good user experience.
The DDoS value by default is 1000 requests per second (rps) however as a default the value is quite arbitrary for a busy site this may be too low and for a quite site an attack may just slip under the radar.
From this you may ask two important questions.
How do I set the correct value?
What is the impact of an incorrect value?
How do I set the correct value?
The value for a DDoS threshold should be greater that the average traffic usage. Opinions vary as to its value some suggesting between 125% and a 150% of average traffic others significantly more. This will ensure that during normal usage users are not affected by challenges, hidden or otherwise and there browsing and usage experience is unimpeded. We may also assume that the website origin infrastructure is not designed to run at capacity all the time so it can accommodate an increase in traffic without significantly affecting users.
During the onboarding process we may have to estimate where the value should sit however over time we can see the average rps in the MY dashboard and adjust the value accordingly using some simple maths.
Enterprise service reports also include a recommended value for the DDoS setting this may also be used as a guide.
The Layer 7 thresholds can be set on a per website basis under website settings. They can also be turned on or off manually if you consider the site is under attack or are experiencing high legitimate traffic volumes.
The impact of setting an incorrect Value.
The various challenge options when DDoS mitigation comes into play are beyond the scope of this piece but will documented here.
https://docs.imperva.com/bundle/cloud-application-security/page/settings/ddos-settings.htm
The impact of not setting the value carefully may result in a successful DDoS attack if the value is too high or impaired user experience if set too low. Once the threshold is reached traffic from unknown clients will be challenged. Such a challenge may depend on the clients browser or device capability and speed of response ultimately if a Captcha is issued the user will need to go through additional steps to prove themselves legitimate potentially reducing the overall user experience.
In conclusion it is important that both setting and monitoring the DDoS threshold for customers applications is important to maintain a good application user experience. It offers a great opportunity to reach out to a customer to have a conversation and make a very simple tweak. Additionally, Imperva are working on further automating the settings to actively manage the DDoS threshold, if you or your customers are interested in being part of the Beta program for this please reach out to your Partner account manager or SE.