[Tutorial] Protecting your site from HTTP Flood Attacks


#1

So I’d like to start out by saying that Cloudflare Free is an amazing service, it makes your site faster and safer from attacks however it’s lacking in protections from HTTP Floods and similar attacks. You are generally safe from Layer 3/4 Attacks because they have the option of protecting either all customers or no customers from those attacks.

Luckily if you have your own web server you can install nginx and use some advanced techniques to protect it from attackers.

Example Configuration Files:
I’ve uploaded some example configuration files for this tutorial to my Github Account. You may need to tweak them for your own purposes but these should serve as an example to you
Nginx https://github.com/nsuchy/nginx-anti-ddos
Fail2ban https://github.com/nsuchy/nginx-fail2ban (Note: Update the action in jail.local from iptables to cloudflare, adjust ur email and api key in ‘action.d/cloudflare.conf’)

What methods are available to block an attack?

  1. Cloudflare’s I’m Under Attack Mode will block a large chunk of bad requests
  2. Setting up rate limiting (both Cloudflare Rate Limiting (paid feature) and nginx rate limits) will help block large bursts of requests and is a useful tool for singling out the bad IP Addresses.
  3. Reduce the ‘time-out’ and ‘keepalive’ limits.
  4. Where practical block the user-agent that’s being used by the attacker. For example if the attacker is using an outdated browser’s useragent or something like ‘wordpress’ you are free to block it and only a small percentage of real users will find themselves blocked. You can always remove the rules after an attack ends.
  5. Use fail2ban to issue Cloudflare IP Blocks on IP Addresses that are constantly violating rate limits.
  6. Look for traits of the attacks traffic and use nginx to block it.
  7. Where possible develop your website ‘on the cloud’ and use those features to the fullest, for example auto-scaling and load balancing make an attack a lot harder. Depending on how it’s implemented your site can become a lot safer due to the benefits of increased capacity.

Which requests are the attackers?
Access.log Example:

41.82.148.224 - - [11/May/2017:17:05:26 -0400] “GET / HTTP/1.1” 503 206 “-” “Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0”

Error.log Example:

2017/05/11 17:05:26 [error] 4820#4820: *6178 limiting requests, excess: 5.592 by zone “two”, client: 41.82.148.224, server: sinfulforums.net, request: “GET / HTTP/1.1”, host: “sinfulforums.net

Any questions, suggestions, comments, feedback, etc?
I look forward to any questions, suggestions, comments, feedback, etc that you guys may have to offer. The tips in this tutorial offer practical mitigation at no cost to the end user other than needing root access to the web server.


Expanded availability of Multi-User access
#2

thanks @lunorian for sharing. Coincidentally, I have finally put my fail2ban config on github publicly now too. It’s made for local CSF Firewall and Cloudflare API usage but requires more testing https://github.com/centminmod/centminmod-fail2ban.

I’ll borrow your nginx connection limit filter though :smiley:


#3

The conn limit is great for people trying to hide from rate limits. Also looks like you have some nice filters up there. I might borrow some of those :slight_smile:


#4

sharing is what makes the internet grow :smile:


#5

Yup, I’m releasing a Cloudflare inspired website template later this evening. It’s really nice for presenting lots of information and might benefit some open source sites :slight_smile:


#6

Hi @lunorian!

Thanks for this tutorial and sharing your configs. But unfortunately your mentioned GitHub repos are gone. Any chance that you point me where to find your code now?

Thanks in advance! :+1: