Layer 7 skids

Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Someone thinks they are an elite hacker because they can throw bots at our site. Fuck off! :)

2116

Cloudflare is on for some time now lol... cannot be f'd with to code custom rules to filter the bots.

I will investigate further into Layer 7 protection options for XenForo, when I do .. those attacks should do nothing. Currently they obviously just eat up RAM primarily from the database queries...

Edit for more info: We had over 1,000 website requests per second, not cool. Just a typical Layer 7 DDoS, where someone drives bots to fetch the website pretending to be a real visitor. Exhausts system resources, slows site loads.
 
Last edited:
N

null3d

Member
Oct 9, 2015
40
24
43
Ratelimiting on serverlevel would solve that. You would just need to use the Real-IP-Module from cloudflare to not block legitimate users.

Code: 
limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s;

server {
    listen 443;
    location / {
        limit_req zone=ip burst=12 delay=8;
        proxy_pass https://r4p3.net;
    }
}

is a good example.
 
Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
null3d said:
is a good example.
Click to expand...
Thank you very much, I may look into this also:
community.centminmod.com

Nginx - Nginx Simple Config to Combat Layer 7 DDOS Attack

Just add on /usr/local/nginx/conf/nginx.conf file bellow http{ context. limit_conn_zone $binary_remote_addr zone=conperiplimit:16m; limit_conn...
community.centminmod.com community.centminmod.com

But yes, I have heard Rate Limiting with NGINX and NGINX Plus is an AWESOME solution.

Thank you @null3d - when I get a proper minute I will definitely work to apply a good solution and document the whole thing into a video and text tutorial on this forum.

Ick..

That has outdated nginx and insecure openssl running !
Click to expand...

Other insightful posts - https://serverfault.com/a/764364

I have heard good things about HAProxy https://www.haproxy.com/blog/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ - https://www.haproxy.com/blog/application-layer-ddos-attack-protection-with-haproxy/ - https://www.haproxy.com/blog/bot-protection-with-haproxy/

Whoa, this one over here has tarpit - https://github.com/analytically/haproxy-ddos

More HAProxy stuff https://news.ycombinator.com/item?id=18415532

Even more HAProxy https://panel.bullten.net/knowledge...Blancing-And-Protecting-Apache-From-DDos.html

More.. https://discourse.haproxy.org/t/looking-for-ddos-protection-found-haproxy/1736/3

2117

The moment when you smile proudly and are like "Whoa, we are actually on first page of Google results."...... neat!


I will do multiple testings between HAProxy and NGINX to find which is best for working as a frontline defense to protect a website from DDoS.

Some final materials to study up:
"queuing facility in HAProxy i.e. don't flood the Apache server with too many requests (maxconns)."
https://www.loadbalancer.org/blog/black-friday-black-out-protection-with-haproxy/

Load Balancing, Affinity, Persistence & Sticky Sessions

This blog post shows why and how to use a load balancer, the differences between Affinity, Persistence, and Sticky Sessions, and how to enable them in HAProxy.
www.haproxy.com www.haproxy.com
Random fact.. some DigitalOcean stuff is offline right now https://status.digitalocean.com/

www.loadbalancer.org

Simple Denial of Service DOS attack mitigation using HAProxy

Denial of Service (DOS) attacks can be used to degrade or cripple the functionality of a site.
www.loadbalancer.org www.loadbalancer.org
Example HAProxy configuration here: http://downloads.loadbalancer.org/releases/examples/haproxy_manual_example.cfg

I plan to perform actual Layer 7 DDoS attacks/floods on a test server (of my own, with my own attack).
I will work to ensure the Layer 7 DDoS defense is strong enough to combat most common attack scripts.

security.stackexchange.com

Reverse-proxy not a solution to DDOS attacks when hosted on PaaS?

We run our apps on Heroku and use Cloudflare as a CDN and to protect against DOS attacks. However, we recently experienced (a relatively minor) attack that managed to easily bypass Cloudflare by si...
security.stackexchange.com security.stackexchange.com
security.stackexchange.com

Reverse-proxy not a solution to DDOS attacks when hosted on PaaS?

We run our apps on Heroku and use Cloudflare as a CDN and to protect against DOS attacks. However, we recently experienced (a relatively minor) attack that managed to easily bypass Cloudflare by si...
security.stackexchange.com security.stackexchange.com

Probably due for a stronger WAF, for example:
discourse.haproxy.org

SQL Injection Block

I am looking for example to block XSS (SQL injections).
discourse.haproxy.org discourse.haproxy.org
https://www.haproxy.com/solutions/security/ "Enable the high-performance Web Application Firewall, which supports multiple modes including blacklist-based signature support, whitelist-only mode, and ModSecurity ruleset support."
blog.devcloud.hosting

Securing haproxy and nginx via HTTP Headers

Environment
blog.devcloud.hosting blog.devcloud.hosting

So very excited to work more on this stuff ;) will also support big requests for "Anti-DDoS and DDoS" content!!

Edit: a few more resources to reference while building protection..
blog.codecentric.de

Rate Limiting based on HTTP headers with HAProxy

Recently we had a problem with a buggy update to a piece of 3rd party client software. It produced lots and lots of valid, but nonsensical requests, targeting our system. This post details how we added a dynamic rate limiting to our HAProxy load balancers, heavily throttling only a very specific...
blog.codecentric.de blog.codecentric.de
serverfault.com

HAProxy rate limiting - ban abuser for 30 minutes

I have the following config, that works OK for rate limiting connections. If an abuser is authenticated and he also accesses the defined regex location more than 30 times per minute, rate limiting is
serverfault.com serverfault.com
 
Last edited:
UnlimitedBytes

UnlimitedBytes

New Member
Feb 20, 2019
4
12
8
It is definitely not recommended to write a tutorial about your DDoS protection. The only thing that makes a DDoS protection secure is that no one else then the developer and the administrator knows exactly how it works. Because mostly if you know how the DDoS protection works you can easily bypass it.

The only real working solution to prevent DDoS-Attacks is to have enough resources to operate normally while you under DDoS-Attacks.
But stuff like limiting the number of requests a user can make per timespan, route through a stable network with human validation (like recaptcha) can increase the protection a little bit.
 
Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
UnlimitedBytes said:
not recommended to write a tutorial about your DDoS protection
Click to expand...
I have mixed drinks about my feelings on this one.

www.haproxy.com

Application-Layer DDoS Attack Protection With HAProxy

This blog post describes techniques that utilize ACLs, maps, and stick tables.
www.haproxy.com www.haproxy.com

Saying "We have HA Proxy", while not necessarily the best idea in the world.. that will not hurt much.

Saying we rate limit x requests per second also is not a great idea but if rate limiting is setup properly and blocking MOST common HTTP(S) DDoS attacks is configured, I see slim harm in showcasing DDoS protection for Layer 7.

No matter how well you are protected, someone can find that information anyways by - well simply trying it? For example, if they hit you at 1 request per second and it keeps going, no problemo. What about 2? Great, 3.. sure.

Okay, so then they count by 2s. 4, 6, 8 requests per seconds, up until 10 where they see a block. Then they hit you at 9 requests per second and it keeps going through. Now just spread the attack out, see what I mean?

Not saying you are wrong by any means, because you make some good points. It's just that DDoS protection is a never-ending bitch lol and ESPECIALLY when you are fighting a botnet.

Here are 3 primary options you have to combat web app DDoS:

Get a damn good load balancer setup like Envoy or HA Proxy, read more here.
Use a cloud service to help mitigate malicious bots and DDoS like Cloudflare (free has a DDoS browser challenge mode but must be enabled manually or you could use API to auto set the mode), $99 AppTrana, KeyCDN is about $40/m for 1TB of traffic, after Sucuri's buyout in 2017 I am unsure of them but they worked in the past, beyond this there are others but the main idea is CLOUD SERVICES cost monthly. To go build your own damn data center with the fiber lines, to handle the throughput, power, etc.. it would cost a lot. Main lesson here is to use monthly services when it makes sense.

If you don't want to go with building your own load balancer on a monthly paid server, then lastly you could build your own colocated rack with Layer 7 hardware firewall but this is impractical and too expensive:
2243

Buying your firewall hardware alone may run you $10,000+ https://www.cdw.com/search/?key=Barracuda web firewall
 
Last edited:
You must log in or register to reply here.
Top