You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* [DDoS Protection] L3/4 managed ruleset override guidance updates
This change introduces a fix to a mix-up in the logic of how
Network-layer DDoS Attack Protection managed ruleset override
expressions work and adds some additional context, guidance, and
recommendations on how effectively utilize them.
* Apply suggestions from code review
---------
Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com>
Copy file name to clipboardExpand all lines: src/content/docs/ddos-protection/managed-rulesets/network/network-overrides/override-examples.mdx
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,10 +17,10 @@ The following scenarios detail how you can make use of override rules as a solut
17
17
18
18
### VPN traffic is blocked by a UDP rule
19
19
20
-
If you have VPN traffic concentrated to a single or a few single destination IP addresses and the traffic is being blocked by a UDP rule, you can create an override rule for the UDP rule to the destination IPs or ranges.
20
+
If you have VPN traffic concentrated to a single or a few single destination IP addresses and the traffic is being blocked by a UDP rule, you can create an override rule for the UDP rule to the destination IPs or ranges.
21
21
22
22
:::note
23
-
The override only applies to the fingerprint and not the detection. Refer to [Important remarks](/ddos-protection/managed-rulesets/network/network-overrides/override-expressions/#important-remarks) for more information.
23
+
The override only applies to the detection and not the fingerprint generated and used for mitigation. Refer to [Important remarks](/ddos-protection/managed-rulesets/network/network-overrides/override-expressions/#important-remarks) for more information.
24
24
:::
25
25
26
26
### Attack traffic is flagged by the adaptive rule based on UDP and destination port
Copy file name to clipboardExpand all lines: src/content/docs/ddos-protection/managed-rulesets/network/network-overrides/override-expressions.mdx
+25-9Lines changed: 25 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,18 +11,20 @@ head:
11
11
12
12
import { GlossaryTooltip } from"~/components"
13
13
14
-
Set an override expression for the Network-layer DDoS Attack Protection managed ruleset to define a specific scope for [sensitivity level](/ddos-protection/managed-rulesets/network/override-parameters/#sensitivity-level) or [action](/ddos-protection/managed-rulesets/network/override-parameters/#action) adjustments. For example, you can set different sensitivity levels for different destination IP addresses or ports: a medium sensitivity level for destination IP address `A` and a low sensitivity level for destination IP address `B`.
14
+
Set an override expression for the Network-layer DDoS Attack Protection managed ruleset to define a specific scope for [sensitivity level](/ddos-protection/managed-rulesets/network/override-parameters/#sensitivity-level) or [action](/ddos-protection/managed-rulesets/network/override-parameters/#action) adjustments.
15
+
16
+
When considering which, if any, expressions you should utilize, think of expressions as a tool to scope overrides to the specific service that the Network-layer DDoS Attack Protection managed ruleset is protecting. That is to say that most services are defined by their destination ports and IPs as opposed to source ports or IPs. Refer to [Imporant remarks](/ddos-protection/managed-rulesets/network/network-overrides/#important-remarks) for more information.
17
+
18
+
For example, you can set different sensitivity levels for different destination IP addresses or ports: a medium sensitivity level for destination IP address `A` and a low sensitivity level for destination IP address `B`.
15
19
16
20
## Available expression fields
17
21
18
-
You can use the following fields in override expressions:
22
+
The following fields are made available for use in override expressions.
23
+
24
+
The list of fields we recommend using in expressions:
19
25
20
-
-`ip.src`
21
26
-`ip.dst`
22
27
-`ip.proto.num`
23
-
-`ip.len`
24
-
-`ip.ttl`
25
-
-`tcp.srcport`
26
28
-`tcp.dstport`
27
29
-`tcp.flags`
28
30
-`tcp.flags.ack`
@@ -31,16 +33,30 @@ You can use the following fields in override expressions:
31
33
-`tcp.flags.reset`
32
34
-`tcp.flags.syn`
33
35
-`tcp.flags.urg`
34
-
-`udp.srcport`
35
36
-`udp.dstport`
36
37
38
+
The list of fields we do not recommend to be used in expressions:
39
+
40
+
-`ip.src`
41
+
-`ip.len`
42
+
-`ip.ttl`
43
+
-`tcp.srcport`
44
+
-`udp.srcport`
45
+
37
46
Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) in the Rules language documentation for more information.
38
47
39
48
## Important remarks
40
49
41
-
- Each expression is limited to 4,000 characters, which means you can enter approximately a maximum of 200 IP addresses in a single expression. However, you can enter IP addresses in CIDR format, which allows you to include a larger number of IP addresses. For example, you can use `192.0.0.0/24` to match IP addresses from `192.0.0.0` to `192.0.0.255`.
42
-
- Override expressions are not allowlists. They apply to the mitigation, not during detection. This means an override only takes effect if the attack fingerprint — as generated by the DDoS managed rules — includes the same fields specified in your expression.
50
+
### Recommended vs. non-recommended fields
51
+
52
+
Override expressions are not allowlists. Overrides are applied to the detection, and are not applied to the resulting mitigation. This means an override only takes effect if the attack fingerprint, as generated by the DDoS managed rules, includes the same fields specified in your expression. Thus, it makes the use of source fields like `ip.src`, `ip.len`, `ip.ttl`, `tcp.srcport`, and `udp.srcport` unreliable.
53
+
54
+
The use of non-recommended fields in an expression may result in unexpected behavior. While you may be inclined to utilize source properties, the expressions are not allowlists and including source traffic properties may result in false positives.
43
55
44
56
For example, if you create an override with sensitivity set to `Essentially Off` for `ip.src eq 192.0.2.1`, it only applies if the fingerprint includes `ip.src`. However, because DDoS attacks are often distributed across many source IPs, the fingerprint may not include `ip.src` at all. In such cases, your override is not applied.
45
57
46
58
In a common scenario, an attack originating from thousands of IPs can target a single destination IP and port. The fingerprint would focus on the shared attributes, such as the destination IP, port, and additional packet fields that represent strong signals of the attack pattern. Even if your override matches a specific source IP, it will not apply if that field is not present in the fingerprint. As a result, the system will mitigate the attack using the default high sensitivity, and traffic from your specified IP could still be blocked. It is recommended to use more stable expressions such as protocol, destination IP, and destination port.
59
+
60
+
### Character limits
61
+
62
+
Each expression is limited to 4,000 characters, which means you can enter approximately a maximum of 200 IP addresses in a single expression. However, you can enter IP addresses in CIDR format, which allows you to include a larger number of IP addresses. For example, you can use `192.0.0.0/24` to match IP addresses from `192.0.0.0` to `192.0.0.255`.
0 commit comments