Layer 7 DDoS Mitigation

Distributed Denial of Service (DDoS) Overview

A DDoS attack is an often intentional attack that consumes an entity’s resources, usually using a large number of distributed sources. DDoS can be categorized into either Layer 7 or Layer 3/4 (L3/4), as defined by the Open Systems Interconnection (OSI) model. L3/4 DDoS attacks are DDoS attacks that occur at lower levels of the OSI stack than layer 7. Examples of such attacks include UDP, CharGen, and NTP Floods. L3/4 DDoS mitigation is inherently provided by Oracle Cloud Infrastructure.

A layer 7 DDoS attack is a DDoS attack that sends HTTP/S traffic to consume resources and hamper a website’s ability to delivery content or to harm the owner of the site. The Web Application Firewall (WAF) service can protect layer 7 HTTP-based resources from layer 7 DDoS and other web application attack vectors.

Layer 7 DDoS Mitigation Services

Oracle provides a Layer 7 DDoS Mitigation service to help mitigate layer 7 DDoS attacks. DDoS Mitigation Specialists are trained members of our Cloud Customer Support team who help mitigate layer 7 DDoS attacks. DDoS Mitigation Specialists help onboard you to WAF if you are not already using it. They must be granted access to your account to make changes to the WAF policy on your behalf. A DDoS attack report is generated after mitigation is complete. The report describes the type and parameters of the attack and what actions were taken to mitigate the attack. At the conclusion of the DDoS mitigation effort of a layer 7 DDoS attack, you may seek to receive credits for services that incurred additional Cloud Service fees. Details of this claim is available in the Oracle PaaS and IaaS Public Cloud Services Pillar documentation.

Requesting Help

It is your responsibility to report an attack through My Oracle Support. You can use monitoring and alarm definitions based on telemetry to receive notifications of thresholds exceeded. For more information about setting up alarms, see Managing Alarms. All changes will be audited in the Audit service.

To request help, go to My Oracle Support and select the WAF product and then DDoS. You will be invited to a web conference where you will interact with a DDoS Mitigation Specialist to review the issue. At this time, you can also participate in the WAF on-boarding and tuning process.

Required IAM Service Policy

In order for the Mitigation Specialist to manage rules to block the attack, you must provision an IAM user account with permissions.

To create an account with the correct permissions:

  1. Create a user with the email address of the Mitigation Specialist. See Managing Users.
  2. Create a group named "SOCMember". See Managing Groups.
  3. Assign the user to the new group.
  4. Grant group access to WAF, audit, and metrics in the compartment where the WAF policy resides.

Policy example:

  • To allow the SOCMember group to manage WAF:
    Allow group SOCMember to manage waas-family in compartment <CompartmentName>
  • To allow the SOCMember group to read audit events:

    Allow group SOCMember to read audit-events in compartment <CompartmentName>
  • To allow the SOCMember group to read metrics:

    Allow group SOCMember to read metrics in compartment <CompartmentName>

If you're new to policies, see Getting Started with Policies and Common Policies. For more details about policies for WAF, see Details for the WAF Service.

The following scripts in the SDK for Python enable you to provision an IAM user account with the correct permissions.

Python script example:

python -c ~/.oci/config  -u '' -g DDoSMitigationGroup -f ~/.oci/ddos_public_key.pem


  • -c is the tenancy configuration file
  • -u is the username to be created
  • -g is the group name to be created
  • -f is the path to the public certificate to be attached to the user in PEM format

Debug options:

  • -h shows help
  • -d turns on debug mode
python -c ~/.oci/config -g DDoSMitigationGroup -o


  • -c is the tenancy configuration file
  • -g is the existing group name to be used in IAM policy
  • -o is the compartment of the WAF policy and where the IAM policy will be created

DDoS Attack Report

A DDoS attack report will be sent to you within a few days of the attack. The report contains metrics on the resources consumed by the attack and include all WAF policy changes made during the mitigation effort. This report is used by Oracle Cloud Infrastructure to review what possible service credits are available.

Price Insurance Program

You may be eligible for credits due to excessive consumption due to a DDoS attack. Refer to the Oracle PaaS and IaaS Public Cloud Services Pillar documentation for details. Contact your customer success manager for details on how to apply for credits.


For future monitoring, you can create an alarm definition in the Monitoring service that will alert you of high activity levels of HTTP traffic that could indicate another layer 7 DDoS attack. For more information, see Managing Alarms. Oracle Cloud Infrastructure automatically scrubs layer 3 and 4 attacks. If you suspect malicious activity that is not being properly remediated, go to My Oracle Support to open a service request to report your concerns.