Imperva Cyber Community

Expand all | Collapse all

Setiing policites to mitigate DDoS without use Thread Radar

  • 1.  Setiing policites to mitigate DDoS without use Thread Radar

    Posted 01-07-2020 07:24
    Hi All,

    Anyone can share the best practice to mitigate DDoS layer 7 without use Thread Radar.
    My GW was used to crash when attacker sent request like this:

    POSThttps://site.com/vi?910   HTTP/1.1
    • Host: site.com:443
    • User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1
    • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    • Accept-Language: en-US,en;q=0.5
    • Accept-Encoding: gzip, deflate
    • Content-Type: application/x-www-form-urlencoded
    • Content-Length: 0
    • Connection: Keep-Alive

    POSThttps://site.com/vi?119   HTTP/1.1
    • Host: site.com:443
    • User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1
    • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    • Accept-Language: en-US,en;q=0.5
    • Accept-Encoding: gzip, deflate
    • Content-Type: application/x-www-form-urlencoded
    • Content-Length: 0
    • Connection: Keep-Alive
    POSThttps://site.com/vi?<random numbers>   HTTP/1.1
    • Host: site.com:443
    • User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1
    • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    • Accept-Language: en-US,en;q=0.5
    • Accept-Encoding: gzip, deflate
    • Content-Type: application/x-www-form-urlencoded
    • Content-Length: 0
    • Connection: Keep-Alive
    ...v.v....

    Thanks,
    Dat Nguyen,
    #DDoSProtectionforWebsites


  • 2.  RE: Setiing policites to mitigate DDoS without use Thread Radar

    Imperva Employee
    Posted 01-07-2020 10:57
    Hi Dat,

    If Thread Radar is not enabled, it is possible to configure a custom policy based on the Post requests received using the "Number of Occurrences" match criteria.
    "Number of Occurrences" can be set based on the context of a single session/server group/source IP/ user.

    Adding the below screenshot for reference: 

    It is possible to add other match criteria to match the needs of the environment.

    You can also refer to our Documentation Portal for more information about Web Service Custom Policies:
    https://docs.imperva.com/bundle/v13.5-web-application-firewall-user-guide/page/1185.htm

    ------------------------------
    Eliran Binyamini
    ------------------------------



  • 3.  RE: Setiing policites to mitigate DDoS without use Thread Radar

    Posted 01-07-2020 22:02
    Hi Eliran,

    Thanks for your answer.
    I detected this attack in lots of Alert Unauthorized Content Type for site.com/vi  and this requests were illegal.

    POSThttps://site.com/vi?910   HTTP/1.1
    • Host: site.com:443
    • User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1
    • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    • Accept-Language: en-US,en;q=0.5
    • Accept-Encoding: gzip, deflate
    • Content-Type: application/x-www-form-urlencoded
    • Content-Length: 0
    • Connection: Keep-Alive
    So I could guess this attack was DDoS. 
    But I assume, If attacker attacked with legal requests, not violate policies and I can't see alert.
    So how can I monitor that traffics?

    Thanks,
    Dat Nguyen

    ------------------------------
    dat thanh
    FPT
    Hai phong
    ------------------------------



  • 4.  RE: Setiing policites to mitigate DDoS without use Thread Radar

    This message was posted by a user wishing to remain anonymous
    Posted 01-09-2020 04:23
    Edited by dat thanh 01-09-2020 13:56
    This post was removed