BIOS
ಠ‿ಠ
- Apr 25, 2012
- 906
- 247
L7 DDoS mitigation
Keep seeing support threads and hearing about hotels getting hit (mostly seems to be basic L7), so thought I'd write up some mega-thread on a few effective mitigation tips.
I'll include both free and cost effective options. Let me know if there's anything useful I've missed, and I'll consider adding it. I'll assume you are using Cloudflare as most likely are. If not, adapt where need be.
General tips
Free tips
Cloudflare Worker code:
Paid, but cheap tips
Keep seeing support threads and hearing about hotels getting hit (mostly seems to be basic L7), so thought I'd write up some mega-thread on a few effective mitigation tips.
I'll include both free and cost effective options. Let me know if there's anything useful I've missed, and I'll consider adding it. I'll assume you are using Cloudflare as most likely are. If not, adapt where need be.
General tips
- Set up Cloudflare correctly.
- Add your site to Cloudflare DNS, make sure all DNS entries show an orange cloud (means it's being proxied by Cloudflare).
- Block direct access to your server, preferably at the network edge (if you're blocking on your server i.e. via IIS or NGINX, it can still suffer as it has to process it all still, you're better letting the network scrub traffic for you). e.g. on DigitalOcean you can set up a
You must be registered for see linksto filter requests before they are even forwarded to your server. Other server providers will have similar features, just look around their site:You must be registered for see links
- You'll want to whitelist Cloudflare's IP range access in your firewall to allow proxying from them
You must be registered for see links.
- Optimize your site.
- i.e. use something like
You must be registered for see linksto minify all your JS and CSS assets, ultimately making bandwidth cost lower and resulting in a faster site.
- Don't use too many SQL queries on a single page, otherwise it'll be easy to DoS your database by spamming heavy pages.
- On that note, generally not required for most hotels but consider caching your database calls so you don't have to query as much. Redis can be used for this, see this
You must be registered for see linksfor more info.
- Do not neglect Cloudflare
You must be registered for see links. Revisit these and make sure you're caching as much as possible. The more resources you cache, the less the origin server will have to do. You can download Dr.FLARE Chrome addon to verify which resources on your site are being cached:You must be registered for see links(green=cached, red=not cached, black=not served by CF)
- i.e. use something like
Free tips
- HTTP Floods.
- Recently many sites have seen HTTP GET floods commonly known as cache busting attacks i.e. example.com/?foobar2. These are effective against a standard Cloudflare installation as, by default, Cloudflare does not cache requests containing query strings. So essentially, it's treated as a fresh new resource every time. Unfortunately, effective query string caching is only available on enterprise plans (like $5K/month).
- BUT, if you do not need query strings, i.e. your site is RESTful (e.g. example.com/me as opposed to example.com/index.php?page=me), then you can probably safely block all query string requests.
-
You must be registered for see links(server-less compute, like AWS Lambda) is available for free up to 100K requests per day, and then $0.50/million requests per month thereafter (pretty cheap right?). You can essentially deploy a worker which checks for the presence of a query string, before forwarding the request to your server (all the flood load will then be handled by the worker, and your site will get cleaner traffic). I'll include sample worker code below.
- CAPTCHAs. Use them on your register and login page. Preferably Google reCAPTCHA. Don't use your own, most I've seen are text-based math equations which bots can easily pull out of the page and crack. If you don't like the idea of users being required to fill them out all the time, you can use Google's invisible reCAPTCHA mode and users won't even know it's there.
- You could also enable Under attack mode (UAM).
- You could also implement rate limiting on your server too for other variants of attacks, though it is more involved and generally considered a last line of defence. See
You must be registered for see links
- Set lower hard limits on your web server e.g. max allowed request body size, according to how big the data you expect to receive is. See
You must be registered for see links
You must be registered for see images attach
You must be registered for see images attach
Cloudflare Worker code:
JavaScript:
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
// Strip query string, and redirect.
// i.e. https://example.com/?foo=bar becomes https://example.com/
// You could also add exceptions here to ignore.
// or you could just return new Response("Blocked").
if(request.url.includes("?")){
//console.log("Nope.")
//console.log(request.url.split("?"))
return Response.redirect(request.url.split("?")[0], 301)
}
// Forward normal requests.
const response = await fetch(request)
return response
}
Paid, but cheap tips
- Cloudflare pro plan ($20/mo).
- 20$/mo might be a bit too much for quite a few hotels which is why I included it last. It does however, have a lot of useful tools.
- WAF/Firewall - You'd get the additional benefit of blocking application attacks, e.g. XSS, SQLi, etc. You can also create custom firewall rules, i.e. to block a specific attack, or ASN (say, block all AWS instances). You could also use firewall rules to fine tune HTTP request blocks, e.g. if you know there's no POST route on the /me page, you could block all "POST /me" requests.
- Ratelimiting (10 rules) - You could use rate limiting to limit HTTP requests (most notably for POST), so if someone is flooding you their attack will hit a road block.
- Bot tarpit mode - In firewall settings you can also enable "bot fight mode" which is essentially a intelligent tarpit which will drain the resource efforts of bots trying to flood you.
- 20$/mo might be a bit too much for quite a few hotels which is why I included it last. It does however, have a lot of useful tools.
if you do not know your enemies nor yourself, you will be imperiled in every single battle - Sun Tzu
Last edited: