11.9 Preventing Denial-of-Service Attacks

A denial-of-device (DoS) attack is an attempt by a malicious user to prevent legitimate users from accessing a service, by sending continuous requests to the server.

To prevent DoS attacks, you can configure Oracle Traffic Director virtual servers to reject requests when the frequency of requests or the number of concurrent connections exceeds a specified limit. For more granular control over requests, you can define several request limits and configure each limit to be applied to requests that match specified URL patterns and query string patterns, request headers that match specified values, and so on.

This section contains the following subsections:

11.9.1 Request Limiting Parameters

You can specify multiple request limits for a virtual server. For each request limit, you can configure several parameters:

  • You can make each request limit applicable to requests fulfilling a specified condition that you specify using expressions such as the following:

    $path = "*.jsp"
    $url = "/images/*"
    $ip =~ "^130\.35\.46\..*"
    

    You can use any variable or a combinations of variables to specify the condition for a limit. For more information about building expressions for request limit conditions, see "Using Variables, Expressions, and String Interpolation" in the Oracle Traffic Director Configuration Files Reference.

  • In each request limit, you can specify the number of concurrent requests (max-connections) and the average number of requests per second (max-rps).

    For example, if you specify a limit (say, max-rps=20), Oracle Traffic Director continuously tracks the request rate by recalculating it at a compute interval that you specify (default: 30 seconds), based on the number of requests received during that interval. When the specified request limit is reached, Oracle Traffic Director rejects all subsequent requests.

  • You can also specify an optional attribute that Oracle Traffic Director should monitor when applying request limits. Oracle Traffic Director uses separate counters to track the request statistics for each monitored attribute.

    For example, to specify that Oracle Traffic Director should track the request rate separately for each client IP, you can specify the variable $ip as the monitor attribute. When the request rate exceeds the specified limit for any client, subsequent requests from that client are rejected, but requests from other clients continue to be served.

    You can also combine variables when specifying the attribute to be monitored. For example, to limit requests from clients that request the same URIs too frequently, you can specify $ip:$uri as the attribute to be monitored. When the request rate from any client for any single URI exceeds the limit, further requests to the same URI from that client are rejected, but requests from that client to other URIs, as well as requests from other clients to any URI continue to be served.

  • For requests that Oracle Traffic Director rejects, it returns the HTTP response code that you specify. The default status code is 503 (service unavailable).

  • After a specified limit—max-connections or max-rps—is reached, Oracle Traffic Director continues to reject all subsequent requests until a specified continue condition is satisfied. You can specify one of the following continue conditions:

    • Threshold (default): Service resumes when the request rate falls below the specified limit.

    • Silence: Service resumes when the incoming request falls to zero for an entire interval.

11.9.2 Configuring Request Limits for a Virtual Server

You can configure request limits for a virtual server by using either the administration console or the CLI.

Note:

Configuring Request Limits Using the Administration Console

To configure request limits by using the administration console, do the following:

  1. Log in to the administration console, as described in Section 2.3.2, "Accessing the Administration Console."

  2. Click the Configurations button that is situated at the upper left corner of the page.

    A list of the available configurations is displayed.

  3. Select the configuration for which you want to configure request limits.

  4. In the navigation pane, expand Virtual Servers, expand the name of the virtual server for which you want to configure request limits, and select Request Limits.

    The Request Limits page is displayed. It lists the request limits that are currently defined for the virtual server.

    Creating a Request Limit

    1. Click New Request Limit.

      The New Request Limit dialog box is displayed.

      In the Name field, enter a name for the new request limit.

      In the Connections field, specify the maximum number of concurrent connections to the virtual server.

      In the Requests Per Second field, specify the maximum number of requests that the virtual server can accept per second.

      Note:

      You must specify at least one of the limits—maximum number of connections or maximum number of requests per second.

      In the Monitor Attribute field, specify the attribute in the request header, which the virtual server should monitor for applying the request limit. If you do not specify this parameter, the request limit is applied to all requests.

    2. Click Next.

      If this is the first request limit for the virtual server, the New Caching Rule dialog box gives you the option to choose whether the limit should be applied to all requests. Select All Requests.

      If you wish to apply the limit to only those requests that satisfy a condition, create a new condition by selecting Create a new condition. In the New Expression pane, select a Variable/Function and an Operator from the respective drop-down lists and provide a value in the Value field.

      Select the and/or operator from the drop-down list when configuring multiple expressions. Similarly, use the Not operator when you want the route to be applied only when the given expression is not true.

      To enter a condition manually, click Cancel and then click Edit Manually. In the Condition field, specify the condition under which the request limit should be applied. For information about building condition expressions, click the help button near the Condition field or see "Using Variables, Expressions, and String Interpolation" in the Oracle Traffic Director Configuration Files Reference.

    3. Click Next and then click Create Request Limit.

      The request limit that you just created is displayed on the Request Limits page.

      In addition, the Deployment Pending message is displayed at the top of the main pane. You can either deploy the updated configuration immediately by clicking Deploy Changes, or you can do so later after making further changes as described in Section 4.3, "Deploying a Configuration."

    Editing a Request Limit

    To change the settings of a request limit, do the following:

    1. Click the Name of the request limit.

      The Editing Request Limit page is displayed.

      Note:

      To access the condition builder to edit conditions, select Requests satisfying the condition and click Edit. The condition builder enables you to delete old expressions and add new ones.
    2. Specify the parameters that you want to change.

      While editing a request limit, in addition to changing the parameters that you specified while creating the request limit, you can set and change the requests-per-second compute interval, and the HTTP status code that the virtual server should return for requests that it rejects when the specified limits are reached. In addition, you can edit the condition that you have set by clicking Edit, which allows you to edit the condition either manually or using the condition builder. You can also delete old expressions and add new ones.

      On-screen help and prompts are provided for all of the parameters.

      When you change the value in a field or tab out of a text field that you changed, the Save button near the upper right corner of the page is enabled.

      At any time, you can discard the changes by clicking the Reset button.

    3. After making the required changes, click Save.

      A message, confirming that the updated configuration was saved, is displayed in the Console Messages pane.

      In addition, the Deployment Pending message is displayed at the top of the main pane. You can either deploy the updated configuration immediately by clicking Deploy Changes, or you can do so later after making further changes as described in Section 4.3, "Deploying a Configuration."

    Deleting a Request Limit

    To delete a request limit, click the Delete button. At the confirmation prompt, click OK.

Configuring Request Limits Using the CLI

  • To create a request limit, run the create-request-limit command.

    Examples:

    • The following command creates a request limit named limit_ip in the virtual server soa.example.com of the configuration soa, to limit the number of concurrent requests from any single client to 5.

      tadm> create-request-limit --config=soa --vs=soa.example.com --max-connections=5 limit_ip
      OTD-70201 Command 'create-request-limit' ran successfully.
      
    • The following command creates a request limit named limit_subnet in the virtual server soa.example.com of the configuration soa, to limit the number of requests per second from the client IP addresses in the subnet 111.23.30.* to 20.

      tadm> create-request-limit --config=soa --vs=soa.example.com --condition="$ip='111.12.30.*'" --max-rps=20 limit_subnet
      OTD-70201 Command 'create-request-limit' ran successfully.
      

    Note that the value of the --condition option should be a regular expression. For information about building condition expressions, see "Using Variables, Expressions, and String Interpolation" in the Oracle Traffic Director Configuration Files Reference.

  • To view a list of the request limits defined for a virtual server, run the list-request-limits command, as shown in the following example:

    tadm> list-request-limits --config=soa --vs=soa.example.com
    request-limit   condition
    -------------------------
    limit_ip       -
    limit_subnet   "$ = '111.23.30.*'"
    
  • To view the properties of a request limit, run the get-request-limit-prop command, as shown in the following example:

    tadm> get-request-limit-prop --config=soa --vs=soa.example.com --request-limit=limit_ip
    continue-condition=silence
    condition="$ip = '111.23.30.*'"
    error-code=503
    max-connections=50
    rps-compute-interval=30
    max-rps=20
    request-limit=limit_ip
    
  • To change the properties of a request limit, run the set-request-limit-prop command.

    For example, the following command changes the request-per-second compute interval of the request limit limit_ip in the virtual server soa.example.com of the configuration soa to 60 seconds.

    tadm> set-request-limit-prop --config=soa --vs=soa.example.com --rule=loan-rule rps-compute-interval=60
    
  • To delete a request limit, run the delete-request-limit command, as shown in the following example:

    tadm> delete-request-limit --config=soa --vs=soa.example.com limit_ip
    OTD-70201 Command 'delete-request-limit' ran successfully.
    

For the updated configuration to take effect, you should deploy it to the Oracle Traffic Director instances by using the deploy-config command.

For more information about the CLI commands mentioned in this section, see the Oracle Traffic Director Command-Line Reference or run the commands with the --help option.