Layer 7 skids

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Someone thinks they are an elite hacker because they can throw bots at our site. Fuck off! :)

2116

Cloudflare is on for some time now lol... cannot be f'd with to code custom rules to filter the bots.

I will investigate further into Layer 7 protection options for XenForo, when I do .. those attacks should do nothing. Currently they obviously just eat up RAM primarily from the database queries...

Edit for more info: We had over 1,000 website requests per second, not cool. Just a typical Layer 7 DDoS, where someone drives bots to fetch the website pretending to be a real visitor. Exhausts system resources, slows site loads.
 
Last edited:

null3d

Member
Oct 9, 2015
40
24
43
Ratelimiting on serverlevel would solve that. You would just need to use the Real-IP-Module from cloudflare to not block legitimate users.

Code:
limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s;

server {
    listen 443;
    location / {
        limit_req zone=ip burst=12 delay=8;
        proxy_pass https://r4p3.net;
    }
}

is a good example.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
is a good example.
Thank you very much, I may look into this also:

But yes, I have heard Rate Limiting with NGINX and NGINX Plus is an AWESOME solution.

Thank you @null3d - when I get a proper minute I will definitely work to apply a good solution and document the whole thing into a video and text tutorial on this forum.

Ick..

That has outdated nginx and insecure openssl running !

Other insightful posts - https://serverfault.com/a/764364

I have heard good things about HAProxy https://www.haproxy.com/blog/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ - https://www.haproxy.com/blog/application-layer-ddos-attack-protection-with-haproxy/ - https://www.haproxy.com/blog/bot-protection-with-haproxy/

Whoa, this one over here has tarpit - https://github.com/analytically/haproxy-ddos

More HAProxy stuff https://news.ycombinator.com/item?id=18415532

Even more HAProxy https://panel.bullten.net/knowledge...Blancing-And-Protecting-Apache-From-DDos.html

More.. https://discourse.haproxy.org/t/looking-for-ddos-protection-found-haproxy/1736/3

2117

The moment when you smile proudly and are like "Whoa, we are actually on first page of Google results."...... neat!


I will do multiple testings between HAProxy and NGINX to find which is best for working as a frontline defense to protect a website from DDoS.

Some final materials to study up:
"queuing facility in HAProxy i.e. don't flood the Apache server with too many requests (maxconns)."
https://www.loadbalancer.org/blog/black-friday-black-out-protection-with-haproxy/
Random fact.. some DigitalOcean stuff is offline right now https://status.digitalocean.com/

Example HAProxy configuration here: http://downloads.loadbalancer.org/releases/examples/haproxy_manual_example.cfg

I plan to perform actual Layer 7 DDoS attacks/floods on a test server (of my own, with my own attack).
I will work to ensure the Layer 7 DDoS defense is strong enough to combat most common attack scripts.


Probably due for a stronger WAF, for example:
https://www.haproxy.com/solutions/security/ "Enable the high-performance Web Application Firewall, which supports multiple modes including blacklist-based signature support, whitelist-only mode, and ModSecurity ruleset support."

So very excited to work more on this stuff ;) will also support big requests for "Anti-DDoS and DDoS" content!!

Edit: a few more resources to reference while building protection..
 
Last edited:

UnlimitedBytes

New Member
Feb 20, 2019
4
12
8
It is definitely not recommended to write a tutorial about your DDoS protection. The only thing that makes a DDoS protection secure is that no one else then the developer and the administrator knows exactly how it works. Because mostly if you know how the DDoS protection works you can easily bypass it.

The only real working solution to prevent DDoS-Attacks is to have enough resources to operate normally while you under DDoS-Attacks.
But stuff like limiting the number of requests a user can make per timespan, route through a stable network with human validation (like recaptcha) can increase the protection a little bit.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
not recommended to write a tutorial about your DDoS protection
I have mixed drinks about my feelings on this one.


Saying "We have HA Proxy", while not necessarily the best idea in the world.. that will not hurt much.

Saying we rate limit x requests per second also is not a great idea but if rate limiting is setup properly and blocking MOST common HTTP(S) DDoS attacks is configured, I see slim harm in showcasing DDoS protection for Layer 7.

No matter how well you are protected, someone can find that information anyways by - well simply trying it? For example, if they hit you at 1 request per second and it keeps going, no problemo. What about 2? Great, 3.. sure.

Okay, so then they count by 2s. 4, 6, 8 requests per seconds, up until 10 where they see a block. Then they hit you at 9 requests per second and it keeps going through. Now just spread the attack out, see what I mean?

Not saying you are wrong by any means, because you make some good points. It's just that DDoS protection is a never-ending bitch lol and ESPECIALLY when you are fighting a botnet.

Here are 3 primary options you have to combat web app DDoS:

Get a damn good load balancer setup like Envoy or HA Proxy, read more here.
Use a cloud service to help mitigate malicious bots and DDoS like Cloudflare (free has a DDoS browser challenge mode but must be enabled manually or you could use API to auto set the mode), $99 AppTrana, KeyCDN is about $40/m for 1TB of traffic, after Sucuri's buyout in 2017 I am unsure of them but they worked in the past, beyond this there are others but the main idea is CLOUD SERVICES cost monthly. To go build your own damn data center with the fiber lines, to handle the throughput, power, etc.. it would cost a lot. Main lesson here is to use monthly services when it makes sense.

If you don't want to go with building your own load balancer on a monthly paid server, then lastly you could build your own colocated rack with Layer 7 hardware firewall but this is impractical and too expensive:
2243

Buying your firewall hardware alone may run you $10,000+ https://www.cdw.com/search/?key=Barracuda web firewall
 
Last edited:
Top