Emergency DDoS protection in Application Load Balancer, L7

1. In the management console, select the folder the protected resources are in.
2. In the list of services, select Smart Web Security.
3. In the left-hand panel, select Security profiles.
4. Click Create profile and select From a preset template.
5. Enter a name for the profile, e.g., anti-ddos.
6. In the Action for the default base rule field, select Deny.
7. In the SmartCaptcha list, leave the Default value.
8. Click Create.

1. At the top right of the page with security profile properties, click Connect to host.

2. Select the following in the given order:

   • Load balancer.

   • HTTP router.

   • Virtual host. You can associate the security profile with multiple virtual hosts at once.

     To connect another L7 load balancer, click Add load balancer.

3. Click Connect.

   In the Connected hosts tab, you will see the connected virtual hosts.

1. From the list of services, select Smart Web Security.
2. Navigate to Monitoring.
3. Examine the data displayed on the charts:
   • Denied by Security Profile RPS: Number of incoming requests per second the security profile has checked and blocked.
   • Redirected to SmartCaptcha RPS: Number of incoming requests per second routed to SmartCaptcha for additional verification.
   • Denied by ARL Profile RPS: Number of incoming requests per second exceeding the ARL profile limit and blocked.

1. Make sure you have configured logging for the L7 load balancer.

2. From the list of services, select Application Load Balancer.

3. Select the load balancer with an associated security profile.

4. Navigate to Logs.

5. Select the number of messages per page and the period, e.g., 1 hour.

6. In the Query field, specify you query using the filter expression language and click Run.

   Request examples:

   • Show requests which triggered a Smart Protection rule with a CAPTCHA challenge:

     json_payload.smartwebsecurity.matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.matched_rule.verdict = CAPTCHA
     

   • Show requests blocked by the ARL profile rules:

     json_payload.smartwebsecurity.advanced_rate_limiter.verdict = DENY
     

1. From the list of services, select Smart Web Security.

2. In the left-hand panel, select ARL profiles.

3. Click Create ARL profile.

4. Enter a name for the profile, e.g., anti-ddos-arl.

5. Click Add rule and specify:

   • Name: arl-rps.
   • Priority: 1000.
   • Traffic: All traffic.
   • Request grouping: Without grouping.
   • Request limit: Specify the average number of requests for your service with a small margin. All requests above the limit will be blocked.

6. Click Save rule.

7. Click Create.

8. In the left-hand panel, select Security profiles.

9. Click next to the anti-ddos profile and select Edit.

10. From the list of ARL profiles, select anti-ddos-arl.

11. Click Save.

1. From the list of services, select Smart Web Security.
2. In the left-hand panel, select Security profiles.
3. Select the anti-ddos security profile.
4. Click Add rule.
5. Enter the Name, e.g., block-by-list.
6. Specify the rule settings:
   • Priority: Higher than that of sp-rule-1, e.g., 1000.
   • Type: Base.
   • Action: Deny or Show CAPTCHA.
   • Traffic: On condition.
   • Conditions: IP.
   • Conditions for IP: IP belongs to the list.
   • Select the address lists. Requests from these addresses will be blocked.
     • is_ddoser: List of IP addresses used in DDoS attacks.
     • Click + or and select is_tor: IP addresses of the Tor network used for traffic anonymization.
     • Click + or and select is_anonimous: IP addresses of anonymous networks frequently used to hide one’s identity.
7. Click Add.

Block all requests from the region the attack is coming from. If your service does not operate in certain regions, you can block traffic from those regions in advance. DDoS attacks often come from IP addresses of non-target countries.

1. Select the anti-ddos security profile.

2. Click Add rule.

3. Enter the Name, e.g., block-by-geo.

4. Specify the rule settings:

   • Priority: Higher than that of sp-rule-1 but lower than that of block-by-list, e.g., 2000.

   • Type: Base.

   • Action: Deny or Show CAPTCHA.

   • Traffic: On condition.

   • Conditions: IP.

   • Conditions for IP: IP belongs to the region.

   • Select the region the attack is coming from, e.g., CN, US, or IN.

     To add another region, click + or.

   Tip

   If your service operates only in certain regions, select the IP does not belong to the region condition. In the list, specify the target region, e.g., RU. Traffic from other regions will be blocked.

   You can check the region of an IP address at ipinfo.io or with an ASN provider.

5. Click Add.