How to define custom Layer 4 Mitigation Rules

Introduction

Custom Layer 4 rules are available to all customers with eligible services. These can be created from the Filtering page at the service level.

Match Options

Below the available matching options are detailed.

BPF Match Expression

An expression in cBPF format (libpcap compatible) that matches the packets desired. This is always the first expression evaluated. For *nix users any expression that you would use in tcpdump is compatible here. For more information on BPF see the below BPF cheatsheet.

Please try and be efficient with your deployed rules. Poorly designed rules may be removed.

IP List

A list of IPv4 addresses that the rule will match. Addresses should be inserted one per line. CIDRs are supported for the NEW connection chain however should be avoided where possible.

TCP

Conditions that match on TCP options e.g MSS

Rate Limit

Match if rate exceeds or, is under a certain limit. Can match based on the total rule hits, or on a hash based on Source IP, Source Port and/or Destination Port.

Region

Restrict the created rule to a single Region.

Match On

Should the rule be evaluated on a new connection (recommended) or on every packet (required for example for non-syn packets for TCP). Evaluating rules per connection is recommended for low importance / priority rules.

Target Options

The following targets (action performed) are currently supported.

DROP

DROP the packet. Do not forward it to your backend. Perform no further action.

TCP VERIFY

Verify each TCP connection protecting against spoofed connections. Must be applied as a "All Traffic" rule.

Hooks

Two match hooks are available to customers:

• New Connection
• All traffic (unavailable on Budget services)

BPF Cheatsheet