At 9:30 PM last week, my infrastructure received a denial of service attack. The infrastructure hosts this blog, my wifes blog, my wifes eCommerce store and some work-in-progress projects that I’m preparing to release. In addition, it also hosts a VPN for when I’m on the go, a few staging environments, my media server and LDAP authentication server (more coming soon).
When the attack came in, I first got alerted by my service provider, and provided with basic information about it (DNS amplification, NTP, SYN where the flood types). I was expecting my entire website and everything I run to crash immediately. My provider told me it was approximately 11.4 Gbps incoming consistently (this lasted 30 minutes), which is more than the bandwidth I have available to me. My sites began slowing down, my VPN started dropping off packets, and the system slowly starting timing out.
Yikes. It looked like I was about to engage my disaster recovery plan to keep everything running, until my providers protection came into place. I came to find out that day that my service provider has DDoS protection for minor attacks, minor being < 20 Gbps according to them which is handled by a third party. This was a huge relief, it’s just a manual filter they have to enable for it to take affect, and doesn’t touch my bandwidth allotment.
All was good, and I didn’t have to engage my DR plan to keep everything online, phew. Fast forward two hours, 11:30 PM strikes and I’m under attack again, this time over Layer 7 (http/https), and my server starts taking a beating. Luckily I’m still protected behind Cloudflare, and I quickly put on the I’m under attack mode and that was the end of that attack. But, it got me thinking.
How can I protect myself from attacks?
I’m not sure why I was victim of this attack, maybe it was at random or someone trying to test out their booter, I’m not sure. All I know is, before I make the switch off of Cloudflare, I want to be sure I’m able to handle some Layer 7 floods. Right now, I’ve started to apply some rules for nginx to stop floods like R-U-DEAD-YET, Slowloris, and HEAD floods. I’ve also began to apply limits on max connections to nginx via single origin IPs (both v4, v6). Additionally, I’m starting a list of bad user agents to reject like the ones found/used by WordPress amplification attacks.
My question is, what are some more alternatives to protecting the layer 7 flooding?