Configure DDoS Detection

• Select the Shared Configuration service.
• Navigate to Security > AI & ML > App Types.

Figure: Navigate to App Type Configuration

• Select + Add App Type and enter the configuration in the app type object creation form using the following guidelines:

Figure: App Type Feature Configuration

• Enter Name for the app type. This is the value for the app type label to be assigned to the load balancers for which the DDoS detection needs to be enabled.

• Select + Add item in the Application Type Features section and select a type for the AI/ML Feature Type from the drop-down list using the following guidelines:

  • Select API Discovery for enabling analysis on interactions between the services.
  • Select DDoS Detection for enabling analysis on RELT metrics.
  • Select Per API Request Analysis for enabling detection per API request.
  • Select Malicious User Detection for enabling user behavior analysis.

Note: You can add all the features using the + Add item option.

• Optionally, select Enable learning from redirect traffic option for the Learn from Traffic with Redirect Response field in the Business Logic Markup Setting section.

• Select Save and Exit to complete creating the app type object.

• Select the Multi-Cloud App Connect service.
• Select the desired namespace from the Namespace drop-down menu.
• Navigate to Manage > Load Balancers > HTTP Load Balancers.
• Select ... > Manage Configuration > Edit Configuration for the load balancer for which the app type label needs to be assigned.

Figure: Navigate to load balancer Edit Configuration

• Select ves.io/app_type for the Labels field and type.

Figure: App Type Label Selection

• Type the name of the app type object created in the previous step, and select Assign a Custom Value to add the app type label.

Figure: App Type Label Addition

• Select Save and Exit button to apply the label to the load balancer.

• Select the Multi-Cloud App Connect service.
• Select the desired namespace from the Namespace drop-down menu.
• Navigate to Security > AI & ML > App Settings.
• Select Add App setting for the load balancer for which the app type label needs to be assigned.

Figure: Navigate to load balancer Edit Configuration

• Enter a name for the app setting.
• Go to Application Type Feature Configuration section and Select + Add Item to configure an AppType.
• In the AppType field, select the created app type object from the drop-down list.
• Select Configure under the DDoS Detection field. Select + Add item in the Metric Selectors section of the time series analysis setting page.
• Select an option for the Metrics Source drop-down menu from the list of options.

Note: You can add multiple Metrics in the drop-down menu.

• Select All Services for enabling metric analysis for all services.
• Select All Service Interactions for enabling analysis for all service interactions between source and destination services.
• Select All Virtual Hosts for enabling metric analysis for all virtual hosts.
• Select a RELT metric for the Metrics field from the list of options.
• Select Apply button to complete the Metric Selector.
• Select Apply to finish adding Metric Selectors.

Note: You can add multiple metric selectors by using the + Add Item button in the Metric Selectors list.

Figure: Time Series Configuration for App Settings

• Select Apply to complete the AppType Setting.

Select Save and Exit to complete adding the Application Type Feature.

Figure: App Settings Object Creation

Note: You can add multiple app settings using the Add item option.

• Select the Multi-Cloud App Connect service.
• Select the desired namespace from the Namespace drop-down menu.
• Navigate to Overview > Applications to see the applications dashboard.
• Select the Service Mesh tab
• Select on your application tile from the displayed list to load its service mesh monitoring.

Figure: Navigate to Service Mesh

Select Metrics tab to load the metrics view.

The metrics view presents trend information for your service metrics for a default or configured time period.

When the DDoS detection is enabled for metrics, a shadow is shown over the metrics bars. This is called a Confidence interval. The confidence interval indicates that the metric value crossing this interval is treated as an anomaly. Such instances are marked in red color bars. Hover over or click on any bar to display the metric and confidence interval values.

Figure: DDoS Detection Enabled Service Mesh Metrics

The service mesh loads service graph by default. Select Alerts tab to load the alerts view.

Active alerts are displayed by default. Select the All Alerts option to display all alerts for default interval of an hour. You can also change time interval using the Last 1 hour drop down. The value Timeseries-Anomaly for the Group field indicates that the alert is an anomaly. The DDoS alerts are generated for sustained anomalies.

Select > for any alert entry to load details in the JSON format.

Figure: Service Mesh DDoS Alerts

Note: See DDoS Alerts for information on time-series related alerts.

In the Multi-Cloud App Connect service, select Overview > Performance. Scroll down to the Load Balancers section and select your load balancer from the displayed list to load its performance monitoring view. The load balancer dashboard is loaded by default.

The load balancer dashboard is loaded by default. Select Metrics tab to load the metrics view.

The metrics view presents trend for your load balancer metrics for a default or configured time period.

When the DDoS detection is enabled for metrics, a shadow is shown over the metrics bars. This is called a Confidence interval. The confidence interval indicates that the metric value crossing this interval is treated as an anomaly. Such instances are marked in red color bars. Hover over or click on any bar to display the metric and confidence interval values.

Figure: Load Balancer Metrics with DDoS Detection Enabled

Select Alerts tab to load the alerts view.

Active alerts are displayed by default. Select the All Alerts option to display all alerts for default interval of an hour. You can also change time interval using the Last 1 hour drop down. The value Timeseries-Anomaly for the Group field indicates that the alert is an anomaly. Select > for any alert entry to load details in the JSON format.

Figure: load balancer DDoS Alerts

Note: See DDoS Alerts for information on time-series related alerts.

L7 DDoS mitigation can be tuned by configuring a Service Policy to specify ASNs, source IP addresses or Geolocations, IP Reputation categories, TLS Fingerprints, or other HTTP request criteria which can be allowed. The configured Service Policy is only applied during attack detection and is automatically removed after the attack has ended.

Apply a Custom Service Policy for automatic L7 DDoS mitigation.

In DoS settings, under the Protection Settings define the Custom Service Policy. Select Custom to define the Custom Service Policy.

Figure: Select Custom Option

Figure: Define Custom Policy Name

To Configure DoS Protection follow below steps:

• From the L7 DDoS Auto Mitigation menu, select an option:

  • Default: This option blocks traffic from suspicious sources. No JavaScript challenge is returned.

  • Block: This option blocks traffic from suspicious sources. No JavaScript challenge is returned.

  • JavaScript Challenge: This option serves a JavaScript challenge to all traffic from suspicious sources. Click View Configuration to change the default settings and message for the JavaScript challenge.

• Under DDoS Mitigation Rules, select Configure to open the rules list page. Use Add Item to add a rule:

  • In the DDoS Mitigation Rule page, set a name for the rule.

  • Select a choice for the Mitigation Choice menu. The mitigation choice can be either a list of IP addresses or combination of ASN, Region, and TLS Fingerprinting.

  • Click Apply to add the rule to the list of rules.

  • Click Apply to add the rules list to the DDoS protection configuration.

• From the Slow DDoS Mitigation menu, select an option:

  • For the Custom option, enter Request Headers Timeout and Total Request Timeout values.

Note: See the Explore Security Monitoring section in the Monitor HTTP Load balancer guide to learn more about observing and reacting to an active DDoS attack.