Hi Dat,
If
Thread Radar is not enabled, it is possible to configure a custom policy based on the Post requests received using the "Number of Occurrences" match criteria.
"Number of Occurrences" can be set based on t
he context of a single session/server group/source IP/ user.
Adding the below screenshot for reference:
It is possible to add other match criteria to match the needs of the environment.
You can also refer to our Documentation Portal for more information about Web Service Custom Policies:
https://docs.imperva.com/bundle/v13.5-web-application-firewall-user-guide/page/1185.htm------------------------------
Eliran Binyamini
------------------------------
Original Message:
Sent: 01-06-2020 23:18
From: dat thanh
Subject: Setiing policites to mitigate DDoS without use Thread Radar
Hi All,
Anyone can share the best practice to mitigate DDoS layer 7 without use Thread Radar.
My GW was used to crash when attacker sent request like this:
POSThttps://site.com/vi?910 HTTP/1.1
- Host: site.com:443
- User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 0
- Connection: Keep-Alive
POSThttps://site.com/vi?119 HTTP/1.1
- Host: site.com:443
- User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 0
- Connection: Keep-Alive
POSThttps://site.com/vi?<random numbers> HTTP/1.1
- Host: site.com:443
- User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 0
- Connection: Keep-Alive
...v.v....
Thanks,
Dat Nguyen,
#DDoSProtectionforWebsites