
Ask HN: How to mitigate Layer 7 attacks? - thegeekbin
Hi HN,<p>I was recently a victim of Layer 7 DDoS attacks, and use Cloudflare. Cloudflare was able to migrate them off, but I&#x27;m in the mix of changing from Cloudflare to my own system for most of my websites and my wifes (blogged about it here: https:&#x2F;&#x2F;thegeekbin.com&#x2F;ddos-protection-my-experience&#x2F;).<p>What&#x27;s a reliable way to mitigate most layer 7 attacks? I&#x27;ve added into nginx filters for slow connections (eg, HEAD and wait X time to clog server resource, slowloris) and other things like bad user agents, R-U-DEAD-YET, etc. but I&#x27;m not sure that&#x27;s going to be enough.<p>What&#x27;s your take on this HN? Any pointers to provide good enough protection against most common attacks?<p>Thanks
======
hamid_ra
What is your website?! is it just a content website or you have some sort of
services serving your requests in backend. Application DDos attacked can
hugely impact your website if they can put load on your backend and eventually
trash your servers. Some useful solutions for those scenarios: -proper
authentication/authorization mechanism -keep stats per user or session and set
quota on the number of requests per user or session -add captcha to your
registration pages to prevent them from scripting your signup.

------
zzzcpan
I'm assuming you also want a simple way to mitigate layer 7 attacks, which is
the hard part. You can try something like gathering statistics of /24 IP
subnets that make connections to your server and once you detect increase in
unseen subnets that goes over some threshold you think your server can't
handle - nullroute unseen subnets that go over that threshold for some short
period of time. And on a web server side configure rate limiting for
everything.

~~~
thegeekbin
I’ve done some basic filtering against some slowloris etc type attacks, I’ve
got lots of open proxy and relays blocked from the web. I’ve also got rate
limiting in place now, and I’m offloading assets to a proper CDN. In the end
my server should only serve a few hundred KB at absolute max, the rest handled
by a CDN. My thought is with that it probably would hold up to the attacks.
Thoughts?

~~~
zzzcpan
Imagine something like a pingback attack [1], it can hit you from at least
tens of thousands of IPs you don't yet filter, because they are not proxies or
relays and will likely exhaust various resources: file descriptor, socket
limits, CPU. And this is one of the most primitive layer 7 attacks not even
attempting to look like a real user agent.

[1]
[https://en.wikipedia.org/wiki/Pingback#Exploits](https://en.wikipedia.org/wiki/Pingback#Exploits)

------
gtirloni
Cloudflare is a good way to mitigate those attacks. They have a pipe much
bigger than what most attackers can get together.

You don't stand a chance against a DDoS and you have to work with your
upstream ISP to mitigate some of it. They might not have the tools to help you
though.

~~~
zzzcpan
> You don't stand a chance against a DDoS and you have to work with your
> upstream ISP to mitigate some of it.

You do. Plenty of hosting companies provide layer 3 and layer 4 DDoS
protection and layer 7 is best handled in your software anyway to avoid false
positives.

~~~
gtirloni
How would you respond to these:
[https://www.cloudflare.com/learning/ddos/famous-ddos-
attacks...](https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/)

