L7 DDoS black hole: Fast ACL applied to a list of REs

Use Case
An App, published on XC REs, can be consumed by legitimate users mainly located in Region A. We saw that lastest L7 DDoS attacks are widely distributed accross regions. When a L7 DDoS is to heavy, SRE can decide to protect the infra and so to block the targeted service IP. Therefore, the legitimate traffic is blocked, the Denial of Service is a success.

Currently, a Fast ACL can block all traffic to a VIP and will be deployed on all REs.

Customer's ask
Because the legitimate consumers (or main business) are located to Region A, the customer wants to block traffic from other regions than region A.

Could we add the ability to select targeted RE sites in a Fast ACL?

  • Alexis DA COSTA
  • Jun 12 2024
  • Attach files