Skip to main content

Overview

XIMP’s DDoS prevention module analyzes traffic patterns and automatically mitigates volumetric and application-layer attacks before they reach protected workloads. The module operates in two modes: Monitor (detection only) and Mitigate (automatic blocking).
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.
Prerequisites
  • Administrator credentials with the admin role
  • Network flow collection configured (see Agent Configuration)
  • Baseline traffic patterns established (minimum 72 hours of Monitor mode data recommended)

Configuring DDoS Protection Policy

Navigate to DDoS Protection

Navigate to Monitoring → Security → DDoS Protection → Policies.

Configure detection settings

SettingDescriptionRecommended
Detection ModeMonitor (alerts only) or Mitigate (automatic blocking)Start with Monitor
Threshold — VolumetricInbound packet rate (pps) or bandwidth (Mbps) triggering detection2× baseline peak
Threshold — SYN FloodNew TCP connections/second before SYN-cookie protection activates10,000 conn/s
Block DurationHow long a detected source is blocked before reassessment5 minutes
WhitelistIP ranges exempt from DDoS mitigationMonitoring systems, partner IPs
Start with Monitor mode to baseline normal traffic patterns for at least 72 hours before switching to Mitigate mode. Aggressive thresholds in mitigation mode may block legitimate traffic, causing customer-facing outages.

Add whitelist entries

Add IP ranges that should never be blocked regardless of traffic volume:
  • XIMP monitoring system IPs (prevent self-blocking)
  • Partner or customer IP ranges with legitimate high-volume traffic
  • Internal automation systems
Navigate to DDoS Protection → Whitelist → Add Entry.

Switch to Mitigate mode

After at least 72 hours of Monitor mode with no false positives:
  1. Review the alert history for any false positive detections
  2. Add any flagged legitimate sources to the whitelist
  3. Switch the policy to Mitigate mode
Policy shows Mitigate mode active. Check the DDoS Events feed to confirm no legitimate traffic is being blocked.

Reviewing DDoS Events

Navigate to Monitoring → Security → DDoS Events to review detected and mitigated attacks:
ColumnDescription
TimeWhen the detection occurred
Source IPOriginating attack IP or range
Typevolumetric, syn-flood, application-layer, or anomaly
Peak RateMaximum observed attack bandwidth or packet rate
StatusActive, Mitigated, or Expired
Action TakenAlert only (Monitor mode) or Blocked (Mitigate mode)

Handling False Positives

If a legitimate source is incorrectly blocked:

Identify the blocked source

Check if a specific IP is blocked
ximp security ddos blocklist | grep <IP_ADDRESS>

Unblock the source

Unblock a specific source
ximp security ddos unblock --source 203.0.113.50

Add to whitelist to prevent future blocks

Navigate to DDoS Protection → Whitelist → Add Entry and add the IP range of the legitimate source with a descriptive comment.
Source is unblocked and whitelist entry prevents future false positives.

Next Steps

Network Monitoring (User Guide)

User-level network traffic analysis for attack investigation

Alert Channels

Configure notification channels for DDoS detection events

Security

Overall XIMP security configuration including access control

Troubleshooting

Diagnose false positive blocks and detection threshold tuning