Anti DDoS / Rate-Limit Layer 7

Police · November 2024

I have a website with a lot of traffic and I am attacked all day long, it affects the CPU a lot and the website goes down.

Is there an effective method against this? I have seen that many people use balooProxy but it is not compatible with me (I think) since I use HestiaCP and it uses Nginx as a proxy on port 80.

I have also read that with a couple of ratelimit rules you can solve most of the attacks.

My knowledge is minimal, that is why I am asking for help.

I'm using Cloudflare. I have a dedicated server from OVH.

vinhais · November 2024

Cloudflare

DrNutella · November 2024

@vinhais said:
Cloudflare

This.

Police · November 2024

True, I forgot to mention that.

I'm using cloudflare but the attack still affects server performance.

NetPIMP · November 2024

@vinhais said:
Cloudflare

All together now: "THIS."

It's free, it works.

xHosts · November 2024

Have you checked the source of attack traffic and made special rules for traffic from them locations ?

吴二蛋 · November 2024

safeline

yoursunny · November 2024

Disable HTTP/1 and HTTP/2, allow HTTP/3 only.
Most attack software works over HTTP/1 and HTTP/2, while browsers support HTTP/3.

beermachine · November 2024

@Police said:
True, I forgot to mention that.

I'm using cloudflare but the attack still affects server performance.

Have stricter cloudflare rules, you can really do quite a lot with what they provide even under their free plan. Granted I haven't used cloudflare in probably ~5 years now.

vinhais · November 2024

Block external traffic to your server (outside Cloudflare)
Create a WAF to block countries that are not the main source of your traffic, e.g.: China, Russia, Singapore, Korea, Pakistan, India
Adjust the rate limit, you can do it through the NGINX configuration, but on Cloudflare it is free 1 rule
Configure more aggressive caching on static pages
Examine the logs, usually stressers/booters always send a query like "i=XXXX" or others in the URL to bypass the cache, check and block it through Cloudflare's WAF, it will probably take a while to change, while you can breathe
Block ASNs that are part of many attacks, such as AWS, DigitalOcean, Hetzner, Contabo, AT&T, Datacamp, Leaseweb, Quadranet, OVH, ColoCrossing (it was one of the solutions I used to solve it)

Here are my WAF rules:

JS Challenge

(ip.geoip.country in {"AL" "AD" "AM" "BY" "BF" "BI" "CN" "FJ" "GF" "GT" "GY" "HT" "HN" "HK" "KP" "KR" "MO" "MW" "MY" "RU" "SG" "SR" "VE" "VN"}) or (cf.threat_score gt 70) or (http.user_agent contains "curl") or (http.user_agent contains "python") or (http.user_agent contains "Go-http-client")

Block

(ip.geoip.asnum in {24940 26347 43350 7018 58111 8075 47583 16628 205016 31898 45102 204548 46562 35320 54483 398101 27715 202269 32329 7489 8100 46606 40021 21887 12876 22394 25820 208226 13213 35612 38365 45090 17816 22773 4812 7849 14618 26496 13287 132203 14103 27967 1759 41508 8972 35916 60781 2152 29066 1239 24961 7162 395336 39378 266400 64200 210558 399486 198605 28539 212238 272043 14576 56655 9152 9050 8953 265919 47583 263093 27715 7162 46407 60068 40676 199524 212238 60068 210630 53667 132203 45090 137876 133478 23033 27176 20278 397966 49157 11989 52468 174 1239 58212 20473 6939 16276 6147 6057 3352 397630 5089 7018 20115 701 18779 5650 209 395954 8560 398101 26496 26347 12876 46261 20773 21859 25780 29802 30083 32097 32475 33070 33182 33387 36024 36351 36352 42473 46475 46664 49544 52219 53559 55933 62567 63473 63949 136258 202053 203629 24549 200019 8851 28753 21559 9009 42675 62240 11427 265613 25369 42624 26548}) or (ip.geoip.continent in {"T1"}) or (ip.geoip.country in {"BY" "BA" "BG" "CN" "CY" "SV" "FK" "FO" "GL" "HN" "HU" "JE" "JO" "XK" "LI" "MK" "MT" "MD" "OM" "RS" "SK" "SI" "AE"}) or (http.request.uri.path contains "/cms") or (http.request.uri.path contains "/wp") or (http.request.uri.path contains "/wordpress") or (http.request.uri.path contains ".env") or (http.request.uri.path contains "\\xC9") or (http.request.uri.path contains "xmlrpc.php")

Police · November 2024

@vinhais said:
1. Block external traffic to your server (outside Cloudflare)
2. Create a WAF to block countries that are not the main source of your traffic, e.g.: China, Russia, Singapore, Korea, Pakistan, India
3. Adjust the rate limit, you can do it through the NGINX configuration, but on Cloudflare it is free 1 rule
4. Configure more aggressive caching on static pages
5. Examine the logs, usually stressers/booters always send a query like "i=XXXX" or others in the URL to bypass the cache, check and block it through Cloudflare's WAF, it will probably take a while to change, while you can breathe
6. Block ASNs that are part of many attacks, such as AWS, DigitalOcean, Hetzner, Contabo, AT&T, Datacamp, Leaseweb, Quadranet, OVH, ColoCrossing (it was one of the solutions I used to solve it)

Here are my WAF rules:

JS Challenge
(ip.geoip.country in {"AL" "AD" "AM" "BY" "BF" "BI" "CN" "FJ" "GF" "GT" "GY" "HT" "HN" "HK" "KP" "KR" "MO" "MW" "MY" "RU" "SG" "SR" "VE" "VN"}) or (cf.threat_score gt 70) or (http.user_agent contains "curl") or (http.user_agent contains "python") or (http.user_agent contains "Go-http-client")
Block
(ip.geoip.asnum in {24940 26347 43350 7018 58111 8075 47583 16628 205016 31898 45102 204548 46562 35320 54483 398101 27715 202269 32329 7489 8100 46606 40021 21887 12876 22394 25820 208226 13213 35612 38365 45090 17816 22773 4812 7849 14618 26496 13287 132203 14103 27967 1759 41508 8972 35916 60781 2152 29066 1239 24961 7162 395336 39378 266400 64200 210558 399486 198605 28539 212238 272043 14576 56655 9152 9050 8953 265919 47583 263093 27715 7162 46407 60068 40676 199524 212238 60068 210630 53667 132203 45090 137876 133478 23033 27176 20278 397966 49157 11989 52468 174 1239 58212 20473 6939 16276 6147 6057 3352 397630 5089 7018 20115 701 18779 5650 209 395954 8560 398101 26496 26347 12876 46261 20773 21859 25780 29802 30083 32097 32475 33070 33182 33387 36024 36351 36352 42473 46475 46664 49544 52219 53559 55933 62567 63473 63949 136258 202053 203629 24549 200019 8851 28753 21559 9009 42675 62240 11427 265613 25369 42624 26548}) or (ip.geoip.continent in {"T1"}) or (ip.geoip.country in {"BY" "BA" "BG" "CN" "CY" "SV" "FK" "FO" "GL" "HN" "HU" "JE" "JO" "XK" "LI" "MK" "MT" "MD" "OM" "RS" "SK" "SI" "AE"}) or (http.request.uri.path contains "/cms") or (http.request.uri.path contains "/wp") or (http.request.uri.path contains "/wordpress") or (http.request.uri.path contains ".env") or (http.request.uri.path contains "\\xC9") or (http.request.uri.path contains "xmlrpc.php")

Thank you, my friend. Very grateful.

Police · December 2024

I keep getting attacks, any suggestions on how to block them?

PacketsDecreaser · December 2024

Why a proxy dont work for you ? you can put a proxy (with ddos protection)before your site and it should be able to block it. or use cloudflare. if you still have ddos problems with cloudflare. change your rules and fix it by ourself

Howdy, Stranger!

Categories

In this Discussion

Anti DDoS / Rate-Limit Layer 7

Comments

Howdy, Stranger!

Quick Links

Categories

In this Discussion

Anti DDoS / Rate-Limit Layer 7

Comments