Forum Discussion
DDoS protection with APM module
Hi,
I’m hoping someone can help point me in the right direction regarding an issue we’re facing.
Our main website has been experiencing increasingly frequent DDoS attacks, which currently require manual intervention to mitigate.
Typically, our site handles around 2,000 concurrent connections, but during an attack, this spikes to over 140,000 connections. As a result, our backend servers are overwhelmed and subsequently fail.
We’ve found that enabling an APM click-through page effectively prevents these attacks from reaching the backend servers. However, we currently have to enable this manually via the Virtual Server (VS) settings.
My question is:
Is it possible to write an iRule that automatically enables the APM page if the concurrent connections to the VS exceed 3,000, and then disables it once the connections drop below 3,000?
For reference, I’ve attached the basic APM policy we currently use.
Thank you in advance for any guidance you can provide!
Hi Nick_Matthews ,
I recommend using Connections limit feature in VS and ( Eviction policy ) in context of virtual server.
the PoA:
1- Create a custom Eviction policy ( System > Configuration > local Traffic > Eviction policy list > Create new )
use this Article to guide you which Biases algorithms : https://my.f5.com/manage/s/article/K15821and this as well: https://my.f5.com/manage/s/article/K15822#vs
use for example the low water level > 90% and High water mark > 100%
2- Go to the targeted Virtual server and set the connection limit to 3000 and assign the created custom eviction policy.
Now What is the effect for this change ! I'll let you know below :
here some clarifications I added regarding your scenario:
Also I wanna add this Article for a sample of log that you encounter when aggressive sweeper mode reached on eviction policy:
https://my.f5.com/manage/s/article/K13302777
Feel Free to set your values
you can use Low water > 90% and High water 95% for example.
I just wanted to explain the idea of eviction policy in Virtual server Context.
So I see It's more efficient than iRules as it consumes alot of processing and will take much to configure a rate limiter iRules.
So Go through this and let me know 😉Thanks
Hi Nick_Matthews ,
I recommend using Connections limit feature in VS and ( Eviction policy ) in context of virtual server.
the PoA:
1- Create a custom Eviction policy ( System > Configuration > local Traffic > Eviction policy list > Create new )
use this Article to guide you which Biases algorithms : https://my.f5.com/manage/s/article/K15821and this as well: https://my.f5.com/manage/s/article/K15822#vs
use for example the low water level > 90% and High water mark > 100%
2- Go to the targeted Virtual server and set the connection limit to 3000 and assign the created custom eviction policy.
Now What is the effect for this change ! I'll let you know below :
here some clarifications I added regarding your scenario:
Also I wanna add this Article for a sample of log that you encounter when aggressive sweeper mode reached on eviction policy:
https://my.f5.com/manage/s/article/K13302777
Feel Free to set your values
you can use Low water > 90% and High water 95% for example.
I just wanted to explain the idea of eviction policy in Virtual server Context.
So I see It's more efficient than iRules as it consumes alot of processing and will take much to configure a rate limiter iRules.
So Go through this and let me know 😉Thanks
Hi Mohamed,
Thank you very much for your detailed reply. I have gone ahead and set this up and will monitor how this performs.
I assume I also need this option enabled as well for this to work?
Thanks
hi Nick_Matthews ,
No You don't need this option, this option prevents aggressive sweeper from being triggered, because I said aggressive sweeper will be triggered to prevent new connections to path through Virtual server if the connection limits reached.
So keep it disabled.
have a look in this article >> https://my.f5.com/manage/s/article/K93017176
Search for "Eviction Protected" and see if you want to use it or not
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com