PingIntelligence

WebSocket API protection from DoS and DDoS

Flow control protects WebSocket servers using five control variables which are independently configured. By default, no flow control is enabled.

Variable Description

Configured once in every API JSON file

client_spike_threshold

Maximum number of HTTP requests per time-period from a single IP to a specific WebSocket API.

Time can be in seconds, minutes or hours.

bytes_in_threshold

Maximum number of bytes per time-period from a single IP to an ASE node.

Time can be in seconds, minutes or hours.

bytes_out_threshold

Maximum number of bytes per time-period sent from an ASE node to a single IP.

Time can be in seconds, minutes or hours.

server_connection_queueing

When true, queue connection requests when all backend servers reach the server connection quota.

The default value is false.

Configured for each server in every API JSON file

server_connection_quota

Maximum number of concurrent connections to a specific WebSocket API on a server. Prevents aggregate connections from one or a cluster of ASE nodes from overloading a WebSocket API on a specific server.

The following diagram shows the effect of the parameters on traffic flow through ASE. In the diagram, client-side flow control is managed by client_spike_threshold, bytes_in_threshold, and bytes_out_threshold. The bytes_out threshold protects against data exfiltration. Server flow control is regulated by server_connection_quota.

cto1564008997238

Client flow control monitors incoming traffic from each client connection and drops sessions when HTTP request or bytes in threshold limits are exceeded. In addition, outbound traffic from each ASE Node is monitored to protect against exfiltration. The diagram shows client scenarios including:

  • IP1 sending HTTP request volumes which exceed the client_spike_threshold value. ASE 1 sends an error message and terminates the session to stop the attack.

  • IP2 sending WebSocket streaming traffic volumes which exceed the bytes_in_threshold limits. ASE 1 sends an error message and terminates the session to stop the traffic.

  • IP3 and IP4 within client spike threshold and bytes in threshold criteria and requests are forwarded to the backend server.

  • Traffic from ASE 2 to IP5 exceeds the bytes out threshold value. ASE blocks the traffic and drops the client session.

The server-side flow control provides the ability to control session count to an API on an application server. server_connection_quota sets the maximum number of concurrent connections that can be established to an API on a server. The concurrent connections are the aggregate connections from all ASE nodes forwarding traffic to the specified API on a given server.

Example:

Here is an example with a hypothetical deployment for the Application Server in the previous diagram.

Variable Configured value

client_spike_threshold

50,000 requests per second per IP

bytes_in_threshold

2000 bytes per second per IP

bytes_out_threshold

1000 bytes per second per server

server_connection_quota

20,000 concurrent connections per server

server_connection_queueing

true

Client flow control permits a maximum of 50,000 HTTP requests/second from an individual IP. If IP 1, 2, or 3 exceeds the 50,000/second limit, ASE drops the client session. Otherwise, all requests are passed to the backend servers.

Client flow control allows a maximum of 2,000 bytes/second from each WebSocket client connection to an ASE node. If IP 1, 2, or 3 exceeds the 2,000 bytes/second limit, ASE drops the client session. Otherwise, all requests are passed to the backend servers.

Server flow control allows 20,000 concurrent connections to WebSocket API 1 on the application server. If the sum of connections from the ASE cluster nodes (i.e. ASE 1 + ASE 2 connection count) to WebSocket API1 exceeds 20,000, then ASE will queue the request for a time-period since server_connection_queuing is enabled. If queuing is not enabled, then the request is dropped.

Client Flow Control allows a maximum of 1,000 bytes/second from a WebSocket API to any WebSocket client connection. If outbound traffic exceeds the 1,000 bytes/second limit, ASE blocks the traffic and drops the client session. Otherwise, all requests are passed to the backend servers.

Summary table for WebSocket flow control

Parameter Notes

client_spike_threshold

Maximum HTTP request rate from a client to an API

bytes_in_threshold

Maximum number of bytes per time-period from a client to a specific ASE node

bytes_out_threshold

Maximum number of bytes per time-period from an ASE node

server_connection_quota

Maximum number of concurrent sessions from ASE cluster nodes to an API on a specific server.

Configuring flow control for WebSocket API

ASE flow control is configured separately for each API using the API JSON file. Here are the flow control related definitions in an API JSON file:

{
 "api_metadata": {
 "protocol": "ws",

 "flow_control": {
 "client_spike_threshold": "0/second",
 "bytes_in_threshold": "0/second",
 "bytes_out_threshold": "0/second",
 "server_connection_queueing" : false
 },
 "servers": [
 {
 "host": "127.0.0.1",
 "port": 8080,
 "server_connection_quota": 10
 },
 {
 "host": "127.0.0.1",
 "port": 8081,
 "server_connection_quota": 20
 }
 ]
 }
}

The flow control section includes definitions which apply globally across all servers running the defined WebSocket API. These are client_spike_threshold, bytes_in_threshold, bytes_out_threshold, and server_connection_queueing. Server specific definitions include server_connection_quota which is configured on each individual server. The default is no flow control with all values set to zero. Note that different values can be specified for each server for server_connection_quota.

If server connection quota is set to zero for one server, then it must be zero for all other servers in the API JSON definition.

API security must be enabled for ASE flow control to work. For more information on enabling API security using the configuration file, see Defining an API using API JSON configuration file in inline mode or using the CLI, see Enable API Cybersecurity.

Flow control CLI for WebSocket API

ASE CLI can be used to update flow control parameters:

Update Client Spike Threshold:

Enter the following command to update the client spike threshold:

update_client_spike_threshold {api_id} {+ve digit/(second|minute|hour)}

For example: update_client_spike_threshold shop_api 5000/second

Update Bytes-in

update_bytes_in_threshold {api_id} {+ve digit/(second|minute|hour)}

For example: update_bytes_in_threshold shop_api 8096/second

Update Bytes-out

update_bytes_out_threshold {api_id} {+ve digit/(second|minute|hour)}

For example: update_bytes_out_threshold shop_api 8096/second

Update Server Quota

update_server_connection_quota {api_id} \{host:port}\{+ve digit}

For example: update_server_connection_quota shop_api 5000

API security must be enabled for ASE flow control to work. For more information on enabling API security, see Enable API Cybersecurity.