Forum Discussion

Nick_Matthews's avatar
Dec 13, 2024

DDoS protection with APM module

Hi,

I’m hoping someone can help point me in the right direction regarding an issue we’re facing.

Our main website has been experiencing increasingly frequent DDoS attacks, which currently require manual intervention to mitigate.

Typically, our site handles around 2,000 concurrent connections, but during an attack, this spikes to over 140,000 connections. As a result, our backend servers are overwhelmed and subsequently fail.

We’ve found that enabling an APM click-through page effectively prevents these attacks from reaching the backend servers. However, we currently have to enable this manually via the Virtual Server (VS) settings.

My question is:
Is it possible to write an iRule that automatically enables the APM page if the concurrent connections to the VS exceed 3,000, and then disables it once the connections drop below 3,000?

For reference, I’ve attached the basic APM policy we currently use.

Thank you in advance for any guidance you can provide!

 

 

  • Hi Nick_Matthews

    I recommend using Connections limit feature in VS and ( Eviction policy ) in context of virtual server. 

    the PoA: 
    1- Create a custom Eviction policy ( System > Configuration > local Traffic > Eviction policy list > Create new ) 
    use this Article to guide you which Biases algorithms : https://my.f5.com/manage/s/article/K15821

    and this as well: https://my.f5.com/manage/s/article/K15822#vs

    use for example the low water level > 90% and High water mark > 100%

    2- Go to the targeted Virtual server and set the connection limit to 3000 and assign the created custom eviction policy. 


    Now What is the effect for this change ! I'll let you know below : 

    here some clarifications I added regarding your scenario: 


    Also I wanna add this Article for a sample of log that you encounter when aggressive sweeper mode reached on eviction policy: 
    https://my.f5.com/manage/s/article/K13302777


    Feel Free to set your values 
    you can use Low water > 90% and High water 95% for example. 
    I just wanted to explain the idea of eviction policy in Virtual server Context. 

    So I see It's more efficient than iRules as it consumes alot of processing and will take much to configure a rate limiter iRules. 
    So Go through this and let me know 😉

     

    Thanks

  • Hi Nick_Matthews

    I recommend using Connections limit feature in VS and ( Eviction policy ) in context of virtual server. 

    the PoA: 
    1- Create a custom Eviction policy ( System > Configuration > local Traffic > Eviction policy list > Create new ) 
    use this Article to guide you which Biases algorithms : https://my.f5.com/manage/s/article/K15821

    and this as well: https://my.f5.com/manage/s/article/K15822#vs

    use for example the low water level > 90% and High water mark > 100%

    2- Go to the targeted Virtual server and set the connection limit to 3000 and assign the created custom eviction policy. 


    Now What is the effect for this change ! I'll let you know below : 

    here some clarifications I added regarding your scenario: 


    Also I wanna add this Article for a sample of log that you encounter when aggressive sweeper mode reached on eviction policy: 
    https://my.f5.com/manage/s/article/K13302777


    Feel Free to set your values 
    you can use Low water > 90% and High water 95% for example. 
    I just wanted to explain the idea of eviction policy in Virtual server Context. 

    So I see It's more efficient than iRules as it consumes alot of processing and will take much to configure a rate limiter iRules. 
    So Go through this and let me know 😉

     

    Thanks

    • Nick_Matthews's avatar
      Nick_Matthews
      Icon for Cirrus rankCirrus

      Hi Mohamed,

      Thank you very much for your detailed reply.  I have gone ahead and set this up and will monitor how this performs.

      I assume I also need this option enabled as well for this to work?

      Thanks

      • hi Nick_Matthews

        No You don't need this option, this option prevents aggressive sweeper from being triggered, because I said aggressive sweeper will be triggered to prevent new connections to path through Virtual server if the connection limits reached. 

        So keep it disabled.

        have a look in this article >> https://my.f5.com/manage/s/article/K93017176 
        Search for "Eviction Protected" and see if you want to use it or not