New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Firewall/ Layer 7 DDoS
Hello my site is being attacked at the moment I am using CloudFlare Pro (Under Attack Mode) + CloudFlare WAF, but when layer7 kicks in my VPS (ovh) port 80 becomes unrecheable.
I would like some suggestions to prevent this kind of ddos, thank you.
Maybe there is a way to configure cloudflare and keep the site more stable a kind of cache that would reduce the amount of access to the VPS?
edit: Has anyone heard of Sucuri CloudProxy?
Comments
So is it being dropped at the network level or is your server overloaded? What is the CPU usage on your VPS when it happens?
Hmm i think server overloaded and apache becomes irresponsible
Then CloudFlare isn't blocking the attack. You should try using the user agent blocking feature to force challenges for the traffic, check the apache logs. Or switch to Nginx, it handles attacks much better anyways.
Damn, apparently UserAgent always change.
Any idea about cloudflare Rate Limiting feature? apparently it's billed on usage never tried it.
Not worth. Just put rules in place for all common user agents temporarily until the attack stops. Or pay the $20 for Pro to get the full CF WAF features.
Not many options really that are cheaper or free.
Hm, i already have the CF Pro.
Any idea what kind of rule i should enable in WAF?
In that case it's probably best to contact them with a traffic log since the attacks are bypassing them. https://support.cloudflare.com/hc/en-us/articles/115002059131-What-are-my-options-for-protecting-my-site-
Either way, if possible it wouldn't hurt to switch to Nginx.
Nice, i will send a message to them and try Nginx.
MIght be that the attacker found the origin IP and is biting directly. @jooja should start with looking at the logs.
I assume by default there is a virtual host setup, either way he can easily check that with access logs or a tcpdump. CloudFlare does pass a lot of attack traffic unless you have custom rules or use their WAF, I get large L7 attacks essentially every week now and they pass the traffic probably every 2 out of 4 times, so I'm pretty sure it's just that.
Edit: I guess that's the point of them offering paid plans in the first place though..
My ovh firewall and software firewall only accept connections from Cloudflare IP's
I checked the logs it's over 20.000 different ips
https://www.lowendtalk.com/discussion/102642
https://www.lowendtalk.com/discussion/100518
Contacted cloudflare, they sent me raw logs of the attack.
>
CF WAF at cloudflare right, thank you sir
I would say in my case CF WAF seems to be useless against Layer 7 DDoS Attacks.
Most of Attacker IPs are from open proxies and most traffic get redirected to my machine.
https://www.hyperfilter.com/web-hosting/
They will protect you from L7 ddos attack from their side. Used them before, seems to be bulletproof so if budget isn't an issue, give them a try.
Cloudflare javascript cookie page is easy to bypass so the under attack mode ain't gonna work you need to put a captcha page of CF on every country specially the one's where most attacks are coming. Another way it to use CF request limit option by minute or hour and block aggressive ip's but that really expensive.
P.S i heard Corero protection is good when it comes to rate limiting based on IPs during L7 attack but got no experience working with Corero so would like to ask other about their experience
I second this, it works nicely.
Well the first issue here is you're still using Apache in 2018
Apache isn't an issue, mainly if you're using Event Engine.
I don't want shared hosting also i need cdn, any other suggestion?
Good idea, i will try it
You can use Web Protection if you have the budge for it:
https://www.hyperfilter.com/web-protection/
(They provide it for free with their HP Servers as well)
You can combine this with a cdn, because for static files, you can keep using cloudflare in a subdomain, eg: static.mydomain.com pointing to your static file server. So you keep only the "dynamic requests" through a different service.
I think hyperfilter dont support https? it was mentioned on their ddos protection details page
They do support https (aka SSL), you can check websites hosted by them or their own page as well.
oh ok but this is what i found written on their page "Basic Native HTTP/L7 protection system. (No SSL Support)
"
https://www.hyperfilter.com/cloud-servers/
Can you identify what the attack actually does? What is this website running?
Captcha web hosts that usually host vuln WordPress pages e.g DO. also try out nginx I have been able to handle many more users since switching to it. Like 70 r/s to 200 r/s serving 4k images. Also try enabling CF edge cache on resources/pages getting hit hard, it'll also speed up your site quite a bit. Lastly try ignoring query string if that's an option.
Obviously, there are no companies offering you L7 included via network layer, it is a separated service, so either you use their web hosting or their web protection... Both things are different.
I ended up doing this:
Added edge cache for images, enabled bypassing the query string as well.
Switched my backend was a VPS server 4 gb ram server for a dedicated (i7)quad core server, 32 GB of RAM,2 2x240 SSD.
Changed WebServer to nginx.
Rate-limited connections at nginx
I already have CloudFlare 5 secs up aswell.
Did Query Cache (since the DB-Server is located far-away from WebServer)
Result:
When the attack "kicks in", my use of ram and cpu goes to 100%.
And all pages with "PHP" don't work and many php processes are generated on the server.
If I disable php-fpm, WebServer it works even under-attack and ram goes for 50%.
Anyone have any other suggestions?
Use something more resilant. Javascript based request validations can be easily bypassed, the default Cloudflare validation will not work for bots which can parse javascript and store cookies.
If you are interested in Layer7 DDoS Protection, where I'm sure it is able to withstand the attacks you receive, you should contact us. We do Layer7 ddos protection at network level, forwarding all traffic on tcp port 80 / 443 towards a mitigation cluster which is designed to deal with complex request floods.