Layer 7 skids

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,206
Points
252
Age
26
Location
North America
Someone thinks they are an elite hacker because they can throw bots at our site. Fuck off! :)

2116

Cloudflare is on for some time now lol... cannot be f'd with to code custom rules to filter the bots.

I will investigate further into Layer 7 protection options for XenForo, when I do .. those attacks should do nothing. Currently they obviously just eat up RAM primarily from the database queries...

Edit for more info: We had over 1,000 website requests per second, not cool. Just a typical Layer 7 DDoS, where someone drives bots to fetch the website pretending to be a real visitor. Exhausts system resources, slows site loads.
 
Last edited:

null3d

Member
Joined
Oct 9, 2015
Messages
40
Points
43
Age
29
Ratelimiting on serverlevel would solve that. You would just need to use the Real-IP-Module from cloudflare to not block legitimate users.

Code:
limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s;

server {
    listen 443;
    location / {
        limit_req zone=ip burst=12 delay=8;
        proxy_pass https://r4p3.net;
    }
}
is a good example.
 

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,206
Points
252
Age
26
Location
North America
is a good example.
Thank you very much, I may look into this also:

But yes, I have heard Rate Limiting with NGINX and NGINX Plus is an AWESOME solution.

Thank you @null3d - when I get a proper minute I will definitely work to apply a good solution and document the whole thing into a video and text tutorial on this forum.

Ick..

That has outdated nginx and insecure openssl running !
Other insightful posts - https://serverfault.com/a/764364

I have heard good things about HAProxy https://www.haproxy.com/blog/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ - https://www.haproxy.com/blog/application-layer-ddos-attack-protection-with-haproxy/ - https://www.haproxy.com/blog/bot-protection-with-haproxy/

Whoa, this one over here has tarpit - https://github.com/analytically/haproxy-ddos

More HAProxy stuff https://news.ycombinator.com/item?id=18415532

Even more HAProxy https://panel.bullten.net/knowledgebase/6/Installing-HAProxy-For-Load-Blancing-And-Protecting-Apache-From-DDos.html

More.. https://discourse.haproxy.org/t/looking-for-ddos-protection-found-haproxy/1736/3

2117

The moment when you smile proudly and are like "Whoa, we are actually on first page of Google results."...... neat!


I will do multiple testings between HAProxy and NGINX to find which is best for working as a frontline defense to protect a website from DDoS.

Some final materials to study up:
"queuing facility in HAProxy i.e. don't flood the Apache server with too many requests (maxconns)."
https://www.loadbalancer.org/blog/black-friday-black-out-protection-with-haproxy/
Random fact.. some DigitalOcean stuff is offline right now https://status.digitalocean.com/

Example HAProxy configuration here: http://downloads.loadbalancer.org/releases/examples/haproxy_manual_example.cfg

I plan to perform actual Layer 7 DDoS attacks/floods on a test server (of my own, with my own attack).
I will work to ensure the Layer 7 DDoS defense is strong enough to combat most common attack scripts.


Probably due for a stronger WAF, for example:
https://www.haproxy.com/solutions/security/ "Enable the high-performance Web Application Firewall, which supports multiple modes including blacklist-based signature support, whitelist-only mode, and ModSecurity ruleset support."

So very excited to work more on this stuff ;) will also support big requests for "Anti-DDoS and DDoS" content!!

Edit: a few more resources to reference while building protection..
 
Last edited:

Top