Menu
Forums
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Trending
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Upgrades
Log in
Register
What's new
Search
Search
Search titles only
By:
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Menu
Log in
Register
Navigation
Install the app
Install
More options
Contact us
Close Menu
Forums
Server Development
Habbo Retros
Habbo Tutorials
L7 DDoS mitigation megathread
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="BIOS" data-source="post: 461189" data-attributes="member: 15674"><p><span style="font-size: 22px">L7 DDoS mitigation</span></p><p></p><p>Keep seeing support threads and hearing about hotels getting hit (mostly seems to be basic L7), so thought I'd write up some mega-thread on a few effective mitigation tips.</p><p></p><p>I'll include both free and cost effective options. Let me know if there's anything useful I've missed, and I'll consider adding it. I'll assume you are using Cloudflare as most likely are. If not, adapt where need be.</p><p></p><p><span style="font-size: 18px">General tips</span></p><ol> <li data-xf-list-type="ol"><strong>Set up Cloudflare correctly.</strong><ol> <li data-xf-list-type="ol">Add your site to Cloudflare DNS, make sure all DNS entries show an orange cloud (means it's being proxied by Cloudflare).</li> <li data-xf-list-type="ol">Block direct access to your server, preferably at the network edge (if you're blocking on your server i.e. via IIS or NGINX, it can still suffer as it has to process it all still, you're better letting the network scrub traffic for you). e.g. on DigitalOcean you can set up a <a href="https://www.digitalocean.com/products/cloud-firewalls/" target="_blank">cloud firewall</a> to filter requests before they are even forwarded to your server. Other server providers will have similar features, just look around their site: <a href="https://docs.ovh.com/gb/en/dedicated/firewall-network/" target="_blank">https://docs.ovh.com/gb/en/dedicated/firewall-network/</a></li> <li data-xf-list-type="ol">You'll want to whitelist Cloudflare's IP range access in your firewall to allow proxying from them <a href="https://www.cloudflare.com/ips/" target="_blank">https://www.cloudflare.com/ips/</a>.</li> </ol></li> <li data-xf-list-type="ol"><strong>Optimize your site.</strong><ol> <li data-xf-list-type="ol">i.e. use something like <a href="https://www.minifier.org/" target="_blank">https://www.minifier.org</a> to minify all your JS and CSS assets, ultimately making bandwidth cost lower and resulting in a faster site.</li> <li data-xf-list-type="ol">Don't use too many SQL queries on a single page, otherwise it'll be easy to DoS your database by spamming heavy pages.</li> <li data-xf-list-type="ol">On that note, generally not required for most hotels but consider caching your database calls so you don't have to query as much. Redis can be used for this, see this <a href="https://www.sitepoint.com/speeding-up-existing-apps-with-a-redis-cache/" target="_blank">link </a>for more info.</li> <li data-xf-list-type="ol">Do not neglect Cloudflare <a href="https://support.cloudflare.com/hc/en-us/articles/202775670-Customizing-Cloudflare-s-cache" target="_blank">caching settings</a>. Revisit these and make sure you're caching as much as possible. The more resources you cache, the less the origin server will have to do. You can download Dr.FLARE Chrome addon to verify which resources on your site are being cached: <a href="https://chrome.google.com/webstore/detail/drflare/pibckhncbjabhlomohgcdedacopeooml?hl=en" target="_blank">https://chrome.google.com/webstore/detail/drflare/pibckhncbjabhlomohgcdedacopeooml?hl=en</a> (green=cached, red=not cached, black=not served by CF)</li> </ol></li> </ol><p></p><p><span style="font-size: 18px">Free tips</span></p><ol> <li data-xf-list-type="ol"><strong>HTTP Floods.</strong></li> <li data-xf-list-type="ol">Recently many sites have seen HTTP GET floods commonly known as cache busting attacks i.e. example.com/?foobar2. These are effective against a standard Cloudflare installation as, by default, Cloudflare does not cache requests containing query strings. So essentially, it's treated as a fresh new resource every time. Unfortunately, effective query string caching is only available on enterprise plans (like $5K/month).<ol> <li data-xf-list-type="ol">BUT, if you do not need query strings, i.e. your site is RESTful (e.g. example.com/me as opposed to example.com/index.php?page=me), then you can probably safely block all query string requests.</li> <li data-xf-list-type="ol"><a href="https://workers.cloudflare.com/" target="_blank">Cloudflare Workers</a> (server-less compute, like AWS Lambda) is available for free up to 100K requests per day, and then $0.50/million requests per month thereafter (pretty cheap right?). You can essentially deploy a worker which checks for the presence of a query string, before forwarding the request to your server (all the flood load will then be handled by the worker, and your site will get clean<em>er</em> traffic). I'll include sample worker code below.</li> <li data-xf-list-type="ol">CAPTCHAs. Use them on your register and login page. Preferably Google reCAPTCHA. Don't use your own, most I've seen are text-based math equations which bots can easily pull out of the page and crack. If you don't like the idea of users being required to fill them out all the time, you can use Google's invisible reCAPTCHA mode and users won't even know it's there.</li> <li data-xf-list-type="ol">You could also enable Under attack mode (UAM).</li> <li data-xf-list-type="ol">You could also implement rate limiting on your server too for other variants of attacks, though it is more involved and generally considered a last line of defence. See <a href="https://www.nginx.com/blog/rate-limiting-nginx/" target="_blank">https://www.nginx.com/blog/rate-limiting-nginx/</a></li> <li data-xf-list-type="ol">Set lower hard limits on your web server e.g. max allowed request body size, according to how big the data you expect to receive is. See <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size" target="_blank">http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size</a></li> </ol></li> </ol><p>Example cache bust (HIT and MISS), notice the query string not being included as part of the cached resource:</p><p>[ATTACH=full]10928[/ATTACH][ATTACH=full]10929[/ATTACH]</p><p></p><p>Cloudflare Worker code:</p><p>[CODE=javascript]</p><p>addEventListener('fetch', event => {</p><p> event.respondWith(handleRequest(event.request))</p><p>})</p><p>async function handleRequest(request) {</p><p> // Strip query string, and redirect.</p><p> // i.e. https://example.com/?foo=bar becomes https://example.com/</p><p> // You could also add exceptions here to ignore.</p><p> // or you could just return new Response("Blocked").</p><p> if(request.url.includes("?")){</p><p> //console.log("Nope.")</p><p> //console.log(request.url.split("?"))</p><p> return Response.redirect(request.url.split("?")[0], 301)</p><p> }</p><p> // Forward normal requests.</p><p> const response = await fetch(request)</p><p> return response</p><p>}</p><p>[/CODE]</p><p></p><p><span style="font-size: 18px">Paid, but cheap tips</span></p><ol> <li data-xf-list-type="ol"><strong>Cloudflare pro plan ($20/mo).</strong><ol> <li data-xf-list-type="ol">20$/mo might be a bit too much for quite a few hotels which is why I included it last. It does however, have a lot of useful tools.<ol> <li data-xf-list-type="ol">WAF/Firewall - You'd get the additional benefit of blocking application attacks, e.g. XSS, SQLi, etc. You can also create custom firewall rules, i.e. to block a specific attack, or ASN (say, block all AWS instances). You could also use firewall rules to fine tune HTTP request blocks, e.g. if you know there's no POST route on the /me page, you could block all "POST /me" requests.</li> <li data-xf-list-type="ol">Ratelimiting (10 rules) - You could use rate limiting to limit HTTP requests (most notably for POST), so if someone is flooding you their attack will hit a road block.</li> <li data-xf-list-type="ol">Bot tarpit mode - In firewall settings you can also enable "bot fight mode" which is essentially a intelligent tarpit which will drain the resource efforts of bots trying to flood you.</li> </ol></li> </ol></li> </ol><p>Additionally just monitor your site and server access logs. If anyone's attacking you with something, it'll all be in there.</p></blockquote><p></p>
[QUOTE="BIOS, post: 461189, member: 15674"] [SIZE=6]L7 DDoS mitigation[/SIZE] Keep seeing support threads and hearing about hotels getting hit (mostly seems to be basic L7), so thought I'd write up some mega-thread on a few effective mitigation tips. I'll include both free and cost effective options. Let me know if there's anything useful I've missed, and I'll consider adding it. I'll assume you are using Cloudflare as most likely are. If not, adapt where need be. [SIZE=5]General tips[/SIZE] [LIST=1] [*][B]Set up Cloudflare correctly.[/B] [LIST=1] [*]Add your site to Cloudflare DNS, make sure all DNS entries show an orange cloud (means it's being proxied by Cloudflare). [*]Block direct access to your server, preferably at the network edge (if you're blocking on your server i.e. via IIS or NGINX, it can still suffer as it has to process it all still, you're better letting the network scrub traffic for you). e.g. on DigitalOcean you can set up a [URL='https://www.digitalocean.com/products/cloud-firewalls/']cloud firewall[/URL] to filter requests before they are even forwarded to your server. Other server providers will have similar features, just look around their site: [URL]https://docs.ovh.com/gb/en/dedicated/firewall-network/[/URL] [*]You'll want to whitelist Cloudflare's IP range access in your firewall to allow proxying from them [URL]https://www.cloudflare.com/ips/[/URL]. [/LIST] [*][B]Optimize your site.[/B] [LIST=1] [*]i.e. use something like [URL='https://www.minifier.org/']https://www.minifier.org[/URL] to minify all your JS and CSS assets, ultimately making bandwidth cost lower and resulting in a faster site. [*]Don't use too many SQL queries on a single page, otherwise it'll be easy to DoS your database by spamming heavy pages. [*]On that note, generally not required for most hotels but consider caching your database calls so you don't have to query as much. Redis can be used for this, see this [URL='https://www.sitepoint.com/speeding-up-existing-apps-with-a-redis-cache/']link [/URL]for more info. [*]Do not neglect Cloudflare [URL='https://support.cloudflare.com/hc/en-us/articles/202775670-Customizing-Cloudflare-s-cache']caching settings[/URL]. Revisit these and make sure you're caching as much as possible. The more resources you cache, the less the origin server will have to do. You can download Dr.FLARE Chrome addon to verify which resources on your site are being cached: [URL]https://chrome.google.com/webstore/detail/drflare/pibckhncbjabhlomohgcdedacopeooml?hl=en[/URL] (green=cached, red=not cached, black=not served by CF) [/LIST] [/LIST] [SIZE=5]Free tips[/SIZE] [LIST=1] [*][B]HTTP Floods.[/B] [*]Recently many sites have seen HTTP GET floods commonly known as cache busting attacks i.e. example.com/?foobar2. These are effective against a standard Cloudflare installation as, by default, Cloudflare does not cache requests containing query strings. So essentially, it's treated as a fresh new resource every time. Unfortunately, effective query string caching is only available on enterprise plans (like $5K/month). [LIST=1] [*]BUT, if you do not need query strings, i.e. your site is RESTful (e.g. example.com/me as opposed to example.com/index.php?page=me), then you can probably safely block all query string requests. [*][URL='https://workers.cloudflare.com/']Cloudflare Workers[/URL] (server-less compute, like AWS Lambda) is available for free up to 100K requests per day, and then $0.50/million requests per month thereafter (pretty cheap right?). You can essentially deploy a worker which checks for the presence of a query string, before forwarding the request to your server (all the flood load will then be handled by the worker, and your site will get clean[I]er[/I] traffic). I'll include sample worker code below. [*]CAPTCHAs. Use them on your register and login page. Preferably Google reCAPTCHA. Don't use your own, most I've seen are text-based math equations which bots can easily pull out of the page and crack. If you don't like the idea of users being required to fill them out all the time, you can use Google's invisible reCAPTCHA mode and users won't even know it's there. [*]You could also enable Under attack mode (UAM). [*]You could also implement rate limiting on your server too for other variants of attacks, though it is more involved and generally considered a last line of defence. See [URL]https://www.nginx.com/blog/rate-limiting-nginx/[/URL] [*]Set lower hard limits on your web server e.g. max allowed request body size, according to how big the data you expect to receive is. See [URL]http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size[/URL] [/LIST] [/LIST] Example cache bust (HIT and MISS), notice the query string not being included as part of the cached resource: [ATTACH=full]10928[/ATTACH][ATTACH=full]10929[/ATTACH] Cloudflare Worker code: [CODE=javascript] addEventListener('fetch', event => { event.respondWith(handleRequest(event.request)) }) async function handleRequest(request) { // Strip query string, and redirect. // i.e. https://example.com/?foo=bar becomes https://example.com/ // You could also add exceptions here to ignore. // or you could just return new Response("Blocked"). if(request.url.includes("?")){ //console.log("Nope.") //console.log(request.url.split("?")) return Response.redirect(request.url.split("?")[0], 301) } // Forward normal requests. const response = await fetch(request) return response } [/CODE] [SIZE=5]Paid, but cheap tips[/SIZE] [LIST=1] [*][B]Cloudflare pro plan ($20/mo).[/B] [LIST=1] [*]20$/mo might be a bit too much for quite a few hotels which is why I included it last. It does however, have a lot of useful tools. [LIST=1] [*]WAF/Firewall - You'd get the additional benefit of blocking application attacks, e.g. XSS, SQLi, etc. You can also create custom firewall rules, i.e. to block a specific attack, or ASN (say, block all AWS instances). You could also use firewall rules to fine tune HTTP request blocks, e.g. if you know there's no POST route on the /me page, you could block all "POST /me" requests. [*]Ratelimiting (10 rules) - You could use rate limiting to limit HTTP requests (most notably for POST), so if someone is flooding you their attack will hit a road block. [*]Bot tarpit mode - In firewall settings you can also enable "bot fight mode" which is essentially a intelligent tarpit which will drain the resource efforts of bots trying to flood you. [/LIST] [/LIST] [/LIST] Additionally just monitor your site and server access logs. If anyone's attacking you with something, it'll all be in there. [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
Server Development
Habbo Retros
Habbo Tutorials
L7 DDoS mitigation megathread
Top