[Yandex Cloud documentation](../../index.md) > [Tutorials](../index.md) > [Security](index.md) > Emergency L7 DDoS protection in Application Load Balancer

# Emergency DDoS protection in Application Load Balancer, L7


This guide will help you stop a live [DDoS attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).

## Conditions to implement the described solution {#tutorial-conditions}

* Your services are hosted in Yandex Cloud or connected to [Application Load Balancer](../../application-load-balancer/index.md) via [Cloud Interconnect](../../interconnect/index.md).
* You used an L7 Application Load Balancer to publish your services online.
* The DDoS attack targets the application layer (L7) by flooding it with HTTP requests (GET/POST).

{% note tip %}

Estimate your standard service load. You can do this in Application Load Balancer under **Monitoring**. The **RPS** chart displays the total number of incoming requests per second the load balancer receives. To analyze the normal load, select a period before the DDoS attack.

{% endnote %}

## Steps to set up protection {#setup-stages}

To stop a DDoS attack, you need to connect [Smart Web Security](../../smartwebsecurity/index.md) and set up rules to block malicious traffic.

1. [Create a security profile](#setup-security-profile).
1. [Associate the security profile](#connect-profile) with a virtual host.
   
   If you have an existing security profile associated with a host, [check the profile settings](#setup-existing-profile).

1. [Test the security profile](#check-the-result).
1. [Set up additional DDoS protection rules](#anti-ddos).

After you stop the attack, you can set up dedicated protection for your service in [Smart Web Security](../../smartwebsecurity/concepts/index.md). If you no longer need the resources you created, [delete them](#clear-out).

## Required paid resources {#paid-resources}

The cost of infrastructure for DDoS protection includes a fee for requests processed by [security profile](../../smartwebsecurity/concepts/profiles.md) rules (see [Yandex Smart Web Security pricing](../../smartwebsecurity/pricing.md)).

## Create a security profile {#setup-security-profile}

_Security profiles_ are the main component of Smart Web Security. A profile consists of rules for handling HTTP traffic. Such rules define filtering conditions and actions to apply to the traffic flowing through a virtual host of an L7 load balancer.

To quickly deploy protection, you can use the preset template. The template contains optimal settings for basic protection of web services.

To create a security profile:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder the protected resources are in.
  1. Navigate to **Smart Web Security**.
  1. In the left-hand panel, select ![image](../../_assets/smartwebsecurity/profiles.svg) **Security profiles**.
  1. Click **Create profile** and select **From a preset template**.
  1. Enter a name for the profile, e.g., `anti-ddos`.
  1. In the **Action for the default base rule** field, select `Deny`.
  1. In the **SmartCaptcha** list, leave the `Default` value.
  1. Click **Create**.


{% endlist %}

## Associate the security profile with the virtual host {#connect-profile}

If the load balancer is managed by an Application Load Balancer [ingress controller](../../application-load-balancer/tools/k8s-ingress-controller/index.md), use the [ingress resource annotation](../../application-load-balancer/k8s-ref/ingress.md#annot-security-profile-id).

{% note tip %}

We recommend using the new [Yandex Cloud Gwin](../../application-load-balancer/tools/gwin/index.md) controller instead of an ALB Ingress controller and Gateway API.

{% endnote %}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) containing the [security profile](../../smartwebsecurity/concepts/profiles.md).
    1. Navigate to **Smart Web Security**.
    1. In the left-hand panel, select ![shield-check](../../_assets/console-icons/shield-check.svg) **Security profiles**.
    1. Select the security profile you want to connect to the [virtual host](../../application-load-balancer/concepts/http-router.md#virtual-host) [Yandex Application Load Balancer](../../application-load-balancer/index.md).
    1. Click ![plug](../../_assets/console-icons/plug-connection.svg) **Connect to host**.
    1. In the window that opens, click **Add resource** and select **Virtual host**.
    1. Set the [**Load balancer**](../../application-load-balancer/concepts/application-load-balancer.md), [**HTTP router**](../../application-load-balancer/concepts/http-router.md), and [**Virtual host**](../../application-load-balancer/concepts/http-router.md#virtual-host) values one by one. You can associate the security profile with multiple virtual hosts at once.
  
        To associate the profile with another L7 load balancer, click **Add resource** and select **Virtual host**.
      
    1. Click **Connect**. If the selected hosts are already connected to another security profile, confirm the connection.
  
        You will see the connected virtual hosts under ![cubes-3-overlap](../../_assets/console-icons/cubes-3-overlap.svg) **Connected resources**.

{% endlist %}

## Configure an existing security profile {#setup-existing-profile}

If you have an existing security profile, check and adjust its parameters:

1. **SmartCaptcha**: `Default`.

1. Make sure there is a rule named `sp-rule-1` with the following parameters:
   * **Type**: `Smart Protection`.
   * **Action**: `Full protection` for website protection with suspicious requests redirected to SmartCaptcha or `API protection` to block suspicious requests.
   * **Conditions**: `All traffic`.
   * **Priority**: `999900`.

1. Make sure there is a basic rule with the following parameters:
   * **Action**: `Deny`.
   * **Conditions**: `All traffic`.
   * **Priority**: `1000000`.
   
## Test the security profile {#check-the-result}

To test your security profile, use information from monitoring charts and logs.

### Monitoring {#monitoring}

{% list tabs group=instructions %}

- Management console {#console}

  1. Navigate to **Smart Web Security**.
  1. Select **Monitoring**.
  1. Examine the data displayed on the charts:
     * **Denied by Security Profile RPS**: Number of incoming requests per second the security profile has checked and blocked.
     * **Redirected to SmartCaptcha RPS**: Number of incoming requests per second routed to SmartCaptcha for additional verification.
     * **Denied by ARL Profile RPS**: Number of incoming requests per second exceeding the ARL profile limit and blocked.

{% endlist %}

For a detailed description of charts, see [Monitoring in Smart Web Security](../../smartwebsecurity/operations/monitoring.md).

### Logging {#logs}

{% list tabs group=instructions %}

- Management console {#console}

  1. Make sure you have configured [logging](../../smartwebsecurity/operations/configure-logging.md) for the L7 load balancer.
  1. Navigate to **Application Load Balancer**.
  1. Select the load balancer with an associated security profile.
  1. Select **Logs**.
  1. Select the number of messages per page and the period, e.g., `1 hour`.
  1. In the **Query** field, specify you query using the [filter expression language](../../logging/concepts/filter.md) and click **Run**.

      Request examples:

      * Show requests which triggered a Smart Protection rule with a CAPTCHA challenge:
        ```
        json_payload.smartwebsecurity.matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.matched_rule.verdict = CAPTCHA
        ```

      * Show requests blocked by the ARL profile rules:
        ```
        json_payload.smartwebsecurity.advanced_rate_limiter.verdict = DENY
        ```

{% endlist %}

For more information about working with logs, see [Configuring logging via Smart Web Security](../../smartwebsecurity/operations/configure-logging.md).

## Set up additional DDoS protection rules {#anti-ddos}

To protect your service against load bursts, set a request limit in the [ARL (Advanced Rate Limiter)](../../smartwebsecurity/concepts/arl.md) profile.

### Set a request limit {#setup-arl}

{% list tabs group=instructions %}

- Management console {#console}

  1. Navigate to **Smart Web Security**.
  1. In the left-hand panel, select ![image](../../_assets/smartwebsecurity/arl.svg) **ARL profiles**.
  1. Click **Create ARL profile**.
  1. Enter a name for the profile, e.g., `anti-ddos-arl`.
  1. Click ![plus-sign](../../_assets/console-icons/plus.svg) **Add rule** and specify:
        
     * **Name**: `arl-rps`.
     * **Priority**: `1000`.
     * **Traffic**: `All traffic`.
     * **Request grouping**: `Without grouping`.
     * **Request limit**: Specify the average number of requests for your service with a small margin. All requests above the limit will be blocked.

  1. Click **Save rule**.
  1. Click **Create**.
  1. In the left-hand panel, select ![image](../../_assets/smartwebsecurity/profiles.svg) **Security profiles**.
  1. Click ![options](../../_assets/console-icons/ellipsis.svg) next to the `anti-ddos` profile and select **Edit**.
  1. From the list of ARL profiles, select `anti-ddos-arl`.
  1. Click **Save**.

{% endlist %}

### Configure blocking by IP address lists {#block-by-list}

Smart Web Security has pre-configured [lists](../../smartwebsecurity/concepts/lists.md) of untrusted addresses, which get updated on a regular basis. You can [create your own lists](../../smartwebsecurity/operations/list-create.md) of trusted or untrusted addresses and add them to request filtering conditions.

{% list tabs group=instructions %}

- Management console {#console}

   1. Navigate to **Smart Web Security**.
   1. In the left-hand panel, select ![image](../../_assets/smartwebsecurity/profiles.svg) **Security profiles**.
   1. Select the `anti-ddos` security profile.
   1. Click ![plus-sign](../../_assets/console-icons/plus.svg) **Add rule**.
   1. Enter the **Name**, e.g., `block-by-list`.
   1. Specify the rule settings:
      * **Priority**: Higher than that of `sp-rule-1`, e.g., `1000`.
      * **Type**: `Base`.
      * **Action**: `Deny` or `Show CAPTCHA`.
      * **Traffic**: `On condition`.
      * **Conditions**: `IP`.
      * **Conditions for IP**: `IP belongs to the list`.
      * Select the address lists. Requests from these addresses will be blocked.
         * `is_ddoser`: List of IP addresses used in DDoS attacks.
         * Click **+ or** and select `is_tor`: IP addresses of the Tor network used for traffic anonymization.
         * Click **+ or** and select `is_anonimous`: IP addresses of anonymous networks frequently used to hide one’s identity.
    1. Click **Add**.

{% endlist %}

### Configure blocking by IP address region {#block-by-geo}

{% list tabs group=instructions %}

- Management console {#console}

    Block all requests from the region the attack is coming from. If your service does not operate in certain regions, you can block traffic from those regions in advance. DDoS attacks often come from IP addresses of non-target countries.

   1. Select the `anti-ddos` security profile.
   1. Click ![plus-sign](../../_assets/console-icons/plus.svg) **Add rule**.
   1. Enter the **Name**, e.g., `block-by-geo`.
   1. Specify the rule settings:
      * **Priority**: Higher than that of `sp-rule-1` but lower than that of `block-by-list`, e.g., `2000`.
      * **Type**: `Base`.
      * **Action**: `Deny` or `Show CAPTCHA`.
      * **Traffic**: `On condition`.
      * **Conditions**: `IP`.
      * **Conditions for IP**: `IP belongs to the region`.
      * Select the region the attack is coming from, e.g., `CN`, `US`, or `IN`.
  
         To add another region, click **+ or**.

      {% note tip %}

      If your service operates only in certain regions, select the `IP does not belong to the region` condition. In the list, specify the target region, e.g., `RU`. Traffic from other regions will be blocked.

      You can look up the region based on IP address at [ipinfo.io](https://ipinfo.io/) or using [provider ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)).

      {% endnote %}

   1. Click **Add**.

{% endlist %}

Use information from monitoring charts and logs to test the rules. If necessary, adjust the request limit in the ARL profile.

## How to delete the resources you created {#clear-out}

To stop paying for the resources you created, do one of the following:

1. [Disassociate the security profile](../../smartwebsecurity/operations/host-delete.md) from the virtual host.
1. [Delete the security profile](../../smartwebsecurity/operations/profile-delete.md).