L7 DDoS mitigation megathread

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
L7 DDoS mitigation

Keep seeing support threads and hearing about hotels getting hit (mostly seems to be basic L7), so thought I'd write up some mega-thread on a few effective mitigation tips.

I'll include both free and cost effective options. Let me know if there's anything useful I've missed, and I'll consider adding it. I'll assume you are using Cloudflare as most likely are. If not, adapt where need be.

General tips
  1. Set up Cloudflare correctly.
    1. Add your site to Cloudflare DNS, make sure all DNS entries show an orange cloud (means it's being proxied by Cloudflare).
    2. Block direct access to your server, preferably at the network edge (if you're blocking on your server i.e. via IIS or NGINX, it can still suffer as it has to process it all still, you're better letting the network scrub traffic for you). e.g. on DigitalOcean you can set up a to filter requests before they are even forwarded to your server. Other server providers will have similar features, just look around their site:
    3. You'll want to whitelist Cloudflare's IP range access in your firewall to allow proxying from them .
  2. Optimize your site.
    1. i.e. use something like to minify all your JS and CSS assets, ultimately making bandwidth cost lower and resulting in a faster site.
    2. Don't use too many SQL queries on a single page, otherwise it'll be easy to DoS your database by spamming heavy pages.
    3. On that note, generally not required for most hotels but consider caching your database calls so you don't have to query as much. Redis can be used for this, see this for more info.
    4. Do not neglect Cloudflare . Revisit these and make sure you're caching as much as possible. The more resources you cache, the less the origin server will have to do. You can download Dr.FLARE Chrome addon to verify which resources on your site are being cached: (green=cached, red=not cached, black=not served by CF)

Free tips
  1. HTTP Floods.
  2. Recently many sites have seen HTTP GET floods commonly known as cache busting attacks i.e. example.com/?foobar2. These are effective against a standard Cloudflare installation as, by default, Cloudflare does not cache requests containing query strings. So essentially, it's treated as a fresh new resource every time. Unfortunately, effective query string caching is only available on enterprise plans (like $5K/month).
    1. BUT, if you do not need query strings, i.e. your site is RESTful (e.g. example.com/me as opposed to example.com/index.php?page=me), then you can probably safely block all query string requests.
    2. (server-less compute, like AWS Lambda) is available for free up to 100K requests per day, and then $0.50/million requests per month thereafter (pretty cheap right?). You can essentially deploy a worker which checks for the presence of a query string, before forwarding the request to your server (all the flood load will then be handled by the worker, and your site will get cleaner traffic). I'll include sample worker code below.
    3. CAPTCHAs. Use them on your register and login page. Preferably Google reCAPTCHA. Don't use your own, most I've seen are text-based math equations which bots can easily pull out of the page and crack. If you don't like the idea of users being required to fill them out all the time, you can use Google's invisible reCAPTCHA mode and users won't even know it's there.
    4. You could also enable Under attack mode (UAM).
    5. You could also implement rate limiting on your server too for other variants of attacks, though it is more involved and generally considered a last line of defence. See
    6. Set lower hard limits on your web server e.g. max allowed request body size, according to how big the data you expect to receive is. See
Example cache bust (HIT and MISS), notice the query string not being included as part of the cached resource:
You must be registered for see images attach
You must be registered for see images attach


Cloudflare Worker code:
JavaScript:
addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
  // Strip query string, and redirect.
  // i.e. https://example.com/?foo=bar becomes https://example.com/
  // You could also add exceptions here to ignore.
  // or you could just return new Response("Blocked").
  if(request.url.includes("?")){
    //console.log("Nope.")
    //console.log(request.url.split("?"))
    return Response.redirect(request.url.split("?")[0], 301)
  }
  // Forward normal requests.
  const response = await fetch(request)
  return response
}

Paid, but cheap tips
  1. Cloudflare pro plan ($20/mo).
    1. 20$/mo might be a bit too much for quite a few hotels which is why I included it last. It does however, have a lot of useful tools.
      1. WAF/Firewall - You'd get the additional benefit of blocking application attacks, e.g. XSS, SQLi, etc. You can also create custom firewall rules, i.e. to block a specific attack, or ASN (say, block all AWS instances). You could also use firewall rules to fine tune HTTP request blocks, e.g. if you know there's no POST route on the /me page, you could block all "POST /me" requests.
      2. Ratelimiting (10 rules) - You could use rate limiting to limit HTTP requests (most notably for POST), so if someone is flooding you their attack will hit a road block.
      3. Bot tarpit mode - In firewall settings you can also enable "bot fight mode" which is essentially a intelligent tarpit which will drain the resource efforts of bots trying to flood you.
Additionally just monitor your site and server access logs. If anyone's attacking you with something, it'll all be in there.
if you do not know your enemies nor yourself, you will be imperiled in every single battle - Sun Tzu
 
Last edited:

Rebel

Spilling the tea, can't you read?🍵
Dec 24, 2015
186
161
Magically, this will help many people! Thank you

Most people have been getting hit by this guy "ϟмαяcυsϟ#3967"

You must be registered for see images attach

You must be registered for see images attach
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Magically, this will help many people! Thank you

Most people have been getting hit by this guy "ϟмαяcυsϟ#3967"

You must be registered for see images attach

You must be registered for see images attach
Check what type of requests are in the logs. Most likely just a HTTP GET flood.

Also check how many of those requests were cached vs uncached. The uncached requests will be what overwhelmed the server.
 
Last edited:

Parsov

Member
May 18, 2016
315
206
Or just make a proper System with Golang;).
Heard FPM can help aswell if you using PHP never used myself tho. I like how you went through all of this.
It will definitely help but in the long-run if you have a shit coded CMS it'll always fail.
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Or just make a proper CMS with Golang;).
Heard FPM can help aswell if you using PHP never used myself tho. I like how you went through all of this.
It will but definitely help but in the long-run if you have a shit coded CMS it'll always fail.
Even Golang can't save you if you don't implement basic things like rate limiting. It'd probably just knock over an unoptimized database faster.
 

Parsov

Member
May 18, 2016
315
206
Yep I fixed my post so there is no confusion but a decent protection service + some good stuff in Golang and nothing will stop you haha trust.
Some people make these system in Rust.

But I doubt anyone will be bothered to do that from the retro community :)


It wouldn't matter if you do it in Golang if you don't handle things properly all of them will fail
 
Last edited:

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Yep I fixed my post so there is no confusion but a decent protection service + some good stuff in Golang and nothing will stop you haha trust.
Some people make these system in Rust.

But I doubt anyone will be bothered to do that from the retro community :)


It wouldn't matter if you do it in Golang if you don't handle things properly all of them will fail
Yeah, Rust with a clustered Redis backend on decent servers and you aren't going anywhere anytime soon. Overkill though for a retro.

Actually have a basic Golang CMS but haven't worked on it in a while. PHP is more than enough though, provided you have decent mitigations in place.
 

Parsov

Member
May 18, 2016
315
206
Yeah, Rust with a clustered Redis backend on decent servers and you aren't going anywhere anytime soon. Overkill though for a retro.

Actually have a basic Golang CMS but haven't worked on it in a while. PHP is more than enough though, provided you have decent mitigations in place.
Redis is good but you can use any as long as you handle the data within your web service properly (most retro cms don't). What I'm saying is You can do all rate limiting / load balancing / restriction / user agent control yourself instead of spending money on another service you can basically do it YOUR way. Which is the best way. I'm not saying your tutorial is wrong your tutorial is pretty great.
I just wanted to mention that if someone has a shit CMS don't expect this to help you in the long-run.

And decent server is a key.
Languages like GoLang & Rust I can even include Python or C++ in there can handle god knows how many requests per second if you do it correctly.
These languages are powerful for the people who know how to use it :).

For retros a normal Clean Laravel App with some sort of custom restrictions + cloudflare would be excellent.
just saying for anyone who wants to use something other than cloudflare the "other" will be shit.
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Redis is good but you can use any as long as you handle the data within your web service properly (most retro cms don't). What I'm saying is You can do all rate limiting / load balancing / restriction / user agent control yourself instead of spending money on another service you can basically do it YOUR way. Which is the best way. I'm not saying your tutorial is wrong your tutorial is pretty great.
I just wanted to mention that if someone has a shit CMS don't expect this to help you in the long-run.

And decent server is a key.
Languages like GoLang & Rust I can even include Python or C++ in there can handle god knows how many requests per second if you do it correctly.
These languages are powerful for the people who know how to use it :).

For retros a normal Clean Laravel App with some sort of custom restrictions + cloudflare would be excellent.
just saying for anyone who wants to use something other than cloudflare the "other" will be shit.
Retros shouldn't really be trying to do all the DDoS protection themselves, it costs a lot and can be hard to maintain when done properly. Not talking about just a single load balancer here or there, I mean a whole traffic scrubbing network with high throughput.

My method basically utilises Cloudflare's already well established network to do most of that. Relieving the server of a lot of work, and it's free for the most part, so most retros could adopt it for nothing.
 
Last edited:

Parsov

Member
May 18, 2016
315
206
Retros shouldn't really be trying to do all the DDoS protection themselves, it costs a lot and can be hard to maintain when done properly. Not talking about just a single load balancer here or there, I mean a whole traffic scrubbing network with high throughput.

My method basically utilises Cloudflare's already well established network to do most of that. Relieving the server of a lot of work, and it's free for the most part.

Yes of course but let's not forget Cloudflare is a platform you also spend money on and to get proper decent protection you would have to spend more money than actually making anything yourself.
You're limited to a lot of things on Cloudflare. You can still use Cloudflare Services but to an extend where you're not giving your wallet to them. I agree with how complicated it can be to basically replicate most things Cloudflare does. But let's not forget that proper protection from their end costs proper money.

So you're well off making some of the simple things yourself instead of paying 5-10$ for each small service. You should still use Cloudflare though.

Everyone has different approaches.
 

Shxrty

Shorty#1960
Mar 31, 2018
629
163
Magically, this will help many people! Thank you

Most people have been getting hit by this guy "ϟмαяcυsϟ#3967"

You must be registered for see images attach

You must be registered for see images attach

This is very much true, he also likes to beg for files. He was begging me for my EMU/SWFs that i currently use for my hotel and i said i didnt want to give them out.

You must be registered for see images attach
You must be registered for see images attach
 

yoyok

Member
Apr 24, 2013
197
24
Alot of the information you have provided will not work.
Free never work! Do you really think big companies didn't try this 10 years ago?

The paid option will only work. Cloudflare PRO rate limiting will do the work together with Bot-fight mode.
Also what you can do is, with the Cloudflare API set a Recaptcha automatically turn on for every country where the D(D)oS is in-coming from.

Last but not least, the UAM from Cloudflare can be bypassed by everyone with a little bit knowledge. Before on Recaptcha with Google it was also possible. On Hcaptcha i did not see it by bypassed.
Post automatically merged:

 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Alot of the information you have provided will not work.
Free never work! Do you really think big companies didn't try this 10 years ago?

The paid option will only work. Cloudflare PRO rate limiting will do the work together with Bot-fight mode.
Also what you can do is, with the Cloudflare API set a Recaptcha automatically turn on for every country where the D(D)oS is in-coming from.

Last but not least, the UAM from Cloudflare can be bypassed by everyone with a little bit knowledge. Before on Recaptcha with Google it was also possible. On Hcaptcha i did not see it by bypassed.
Post automatically merged:
Did you even read the thread?
 

habbouser

New Member
Nov 15, 2020
28
3
Can we completely prevent exposing IP? Because it's always showed in /client (to connect to emulator). You can "hide" it in external_variables.txt, but most people know this trick.
Any good tips to hide the IP?
 

Johno

:: xHosts :: www.xhosts.uk
Sep 12, 2011
580
245
Can we completely prevent exposing IP? Because it's always showed in /client (to connect to emulator). You can "hide" it in external_variables.txt, but most people know this trick.
Any good tips to hide the IP?

Follow the tutorial that I shared a few months back if using IIS



By doing this even if someone has the direct IP address as long as your server has a decent Layer 7 protection you will be basically sorted once you tune up the firewall on CloudFlare's side to block the most dangerous ASN's
 

habbouser

New Member
Nov 15, 2020
28
3
Follow the tutorial that I shared a few months back if using IIS



By doing this even if someone has the direct IP address as long as your server has a decent Layer 7 protection you will be basically sorted once you tune up the firewall on CloudFlare's side to block the most dangerous ASN's
Yes, I've set this exact same thing up (for Ubuntu VPS). But people are still able to DDoS. It's not a full block.
 

habbouser

New Member
Nov 15, 2020
28
3
Have you tried the linux script that I released for this ?
Wrote my own script. Does about the same. But that will not make sense for the emulator. You can't proxy the emulator via Cloudflare. The IP of the emulator will be exposed in the client (because client needs to connect to it).
I think blocking it in the IP tables / firewall will not fix the issue.
 

Johno

:: xHosts :: www.xhosts.uk
Sep 12, 2011
580
245
There are plenty of rules that can be applied direct to IP tables to stop emulator attacks or install software such as fail2ban or csf, also harden the linux system to prevent spoofing and false syn packets
 

Users who are viewing this thread

Top