search

C0nw0nk / Nginx-Lua-Anti-DDoS

A Anti-DDoS script to protect Nginx web servers using Lua with a HTML Javascript based authentication puzzle inspired by Cloudflare I am under attack mode an Anti-DDoS authentication page protect yourself from every attack type All Layer 7 Attacks Mitigating Historic Attacks DoS DoS Implications DDoS All Brute Force Attacks Zero day exploits Social Engineering Rainbow Tables Password Cracking Tools Password Lists Dictionary Attacks Time Delay Any Hosting Provider Any CMS or Custom Website Unlimited Attempt Frequency Search Attacks HTTP Basic Authentication HTTP Digest Authentication HTML Form Based Authentication Mask Attacks Rule-Based Search Attacks Combinator Attacks Botnet Attacks Unauthorized IPs IP Whitelisting Bruter THC Hydra John the Ripper Brutus Ophcrack unauthorized logins Injection Broken Authentication and Session Management Sensitive Data Exposure XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting (XSS) Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging & Monitoring Drupal WordPress Joomla Flash Magento PHP Plone WHMCS Atlassian Products malicious traffic Adult video script avs KVS Kernel Video Sharing Clip Bucket Tube sites Content Management Systems Social networks scripts backends proxy proxies PHP Python Porn sites xxx adult gaming networks servers sites forums vbulletin phpbb mybb smf simple machines forum xenforo web hosting video streaming buffering ldap upstream downstream download upload rtmp vod video over dl hls dash hds mss livestream drm mp4 mp3 swf css js html php python sex m3u zip rar archive compressed mitigation code source sourcecode chan 4chan 4chan.org 8chan.net 8ch 8ch.net infinite chan 8kun 8kun.net anonymous anon tor services .onion torproject.org nginx.org nginx.com openresty.org darknet dark net deepweb deep web darkweb dark web mirror vpn reddit reddit.com adobe flash hackthissite.org dreamhack hack hacked hacking hacker hackers hackerz hackz hacks code coding script scripting scripter source leaks leaked leaking cve vulnerability great firewall china america japan russia .gov government http1 http2 http3 quic q3 litespeedtech litespeed apache torrents torrent torrenting webtorrent bittorrent bitorrent bit-torrent cyberlocker cyberlockers cyber locker cyberbunker warez keygen key generator free irc internet relay chat peer-to-peer p2p cryptocurrency crypto bitcoin miner browser xmr monero coinhive coin hive coin-hive litecoin ethereum cpu cycles popads pop-ads advert advertisement networks banner ads protect ovh blazingfast.io amazon steampowered valve store.steampowered.com steamcommunity thepiratebay lulzsec antisec xhamster pornhub porn.com pornhub.com xhamster.com xvideos xvdideos.com xnxx xnxx.com popads popcash cpm ppc
MIT License
1.16k stars 270 forks source link

Features Request List #34

Closed Sylvvvia closed 4 years ago

Sylvvvia commented 4 years ago

Okay i have fully tested your script. It work very well however it is easy to bypass your script. Below i list features you should implement to provide better security.

  1. Sensor Mode (Requested Already)
  2. Reverse dns checkup on crawling bots (Google, Yahoo etc..)
  3. Random Delay in short range (Before javascript puzzle starts)
  4. Randomize more javascript puzzle
  5. Cookie validation with session (store session on server)
  6. Implement better javascript encryption (current one can be easily decoded)
  7. SpamHaus integration (Enable/Disable block user that is in spamhaus botnet database)

Optional Features:

  1. Implement themes system so people can change interestial page design
  2. Config system, so people will no need to scroll over entire file to make changes
  3. Partial Module so each module is loaded from other file it will make it easier for future changes.
C0nw0nk commented 4 years ago

Okay i have fully tested your script. It work very well

however it is easy to bypass your script.

If you are refering to what you said in number 6 on your list then any Javascript encryption can always be decoded that is why i randomize it is every page refresh would yield a different encryption method it is extremely difficult to be bypassed because they need to know the puzzle question and answer and to reply to it in the required encrypted header strings. All requiring them to see the Authentication page in the first place there is no automated way to get this information and as soon as you change the Javascript puzzle.

This to be exact.

--local JavascriptPuzzleVars = [[22 + 22]] --44
--local JavascriptPuzzleVars_answer = "44" --if this does not equal the equation above you will find access to your site will be blocked make sure you can do maths!?

--Make our Javascript puzzle a little bit more dynamic than the static equation above it will change every 24 hours :) I made this because the static one is pretty poor security compared to this but this can be improved allot though.
--TODO: IMPROVE THIS!
local JavascriptPuzzleVars = [[parseInt("]] .. os.date("%Y%m%d",os.time()-24*60*60) .. [[", 10) + parseInt("]] .. os.date("%d%m%Y",os.time()-24*60*60) ..[[", 10)]] --Javascript output of our two random numbers
local JavascriptPuzzleVars_answer = os.date("%Y%m%d",os.time()-24*60*60) + os.date("%d%m%Y",os.time()-24*60*60) --lua output of our two random numbers
local JavascriptPuzzleVars_answer = math.floor(JavascriptPuzzleVars_answer+0.5) --fix bug removing the 0. decimal on the end of the figure
local JavascriptPuzzleVars_answer = tostring(JavascriptPuzzleVars_answer) --convert the numeric output to a string

It would break there method it is possible but extremely difficult same as Google Captcha is possible to be bypassed but extremely difficult. Let alone the fact that what the config sets for expire_time means they will have to solve another puzzle in a few hours anyway / days depending on your config setting.

Below i list features you should implement to provide better security.

1. Sensor Mode (Requested Already)

You need to describe what this is because I have no idea what you are talking about with this ?

2. Reverse dns checkup on crawling bots (Google, Yahoo etc..)

The only reason I don't want to be doing Reverse DNS is because when connecting to external sources it can cause slow downs / lag it defeats the purpose of a ddos script if you create an external flaw that can intentionaly slow it down in order to get data / wait for data response.

3. Random Delay in short range (Before javascript puzzle starts)

So rather than the puzzle be solved by the browser as soon as the browser can solve it you want to delay the browser for like another 3 seconds before it solves the puzzle ?

4. Randomize more javascript puzzle

I was asked about this and gave my answer here it is TODO list item but not a urgent one https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/issues/31#issuecomment-606768975

5. Cookie validation with session (store session on server)

No. There is no need to store their sessions on the server itself when my session method of salted hashes and browser cookies works fine... And besides that is a terrible thing to do when under attack because 1million requests = 1million sessions to be stored means your server storage gets maxed out with bogus sessions it is a very very bad idea and to easy to exploit.

6. Implement better javascript encryption (current one can be easily decoded)

Going back to this again it is not a urgent thing on my TODO list https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/issues/31#issuecomment-606768975

7. SpamHaus integration (Enable/Disable block user that is in spamhaus botnet database)

That goes back to my comment about connecting to external sources it is a bottle neck that can degrade speed and performance when they are slow in answering your query on a IP that is connecting you want that information ASAP when they slow for 500ms your site can't respond for 500ms until you get that answer about is that IP malicious or not.

Optional Features:

1. Implement themes system so people can change interestial page design

Easy enough.

2. Config system, so people will no need to scroll over entire file to make changes

I put the config area at the top of the file so nobody has to scroll down any lower.

3. Partial Module so each module is loaded from other file it will make it easier for future changes.

Could be good maybe to make to add some features that I do not want to be associated with the CORE of this script and have them be dropped on as plugins by users if they need them. https://github.com/openresty/lua-nginx-module#lua-variable-scope

Will see what i can do when it comes to it.

Currently what I have listed here https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/issues/29

Are my priority right now everything else is a maybe but if other people do build things in and make a Pull request to the repo I will accept them and that will speed things up in features area currently I am building allot in my spare time through my own needs on my own servers.

Sylvvvia commented 4 years ago

Sensor Mode - Automatic attack detection mentoined this but noticed later that it was already requested. Reverse DNS checkup can be made only when someone is requesting with bot user agent. Imagine now that you whitelist google bot and you get ddos with 1mln requests per second with google bot user agent. And no there is no proper way to whitelist it except reverse dns lookup since google changes their ip range almost all the time. SpamHaus can be integrated as .dat file so you're not making any external request simply lookup on the ip range in file.

C0nw0nk commented 4 years ago

Ok I see so you want localized files for them then that is possible but it will have to wait for me to finish the Auto-DDoS switch feature since that requires a shared memory zone then those features could also use it.

On Wed, 8 Apr 2020, 21:17 Sylvvvia, notifications@github.com wrote:

Sensor Mode - Automatic attack detection mentoined this but noticed later that it was already requested. Reverse DNS checkup can be made only when someone is requesting with bot user agent. Imagine now that you whitelist google bot and you get ddos with 1mln requests per second with google bot user agent. And no there is no proper way to whitelist it except reverse dns lookup since google changes their ip range almost all the time. SpamHaus can be integrated as .dat file so you're not making any external request simply lookup on the ip range in file.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/issues/34#issuecomment-611171541, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC5DUK5HBU2556ANDQAV47TRLTLWTANCNFSM4MEDD4RQ .

Sylvvvia commented 4 years ago

Would also suggest integration of custom error display like cloudflare has. Once those features will exist i would gladly switch from current cloudflare enterprise plan to your script. Since we get ddos every day for now it's simply not safe for us.

C0nw0nk commented 4 years ago

You can use it with cloudflare even on unproxied domains dns only etc I made it compatible with all since that is how I currently use it In a production environment.

But the custom errors should be easy to implement I will put that on the todo list since it can be done pretty quickly.

Don't get me wrong I love cloudflare but their pricing is awful and I am a believer in for everyone not for their monopoly market and I want those who can't afford or use such services to have the same quality protection.

On Wed, 8 Apr 2020, 21:26 Sylvvvia, notifications@github.com wrote:

Would also suggest integration of custom error display like cloudflare has. Once those features will exist i would gladly switch from current cloudflare enterprise plan to your script. Since we get ddos every day for now it's simply not safe for us.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/issues/34#issuecomment-611175997, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC5DUK7FDKHEYGCNJUX5KZDRLTMY7ANCNFSM4MEDD4RQ .

Sylvvvia commented 4 years ago

Well cloudflare even in enterprise doesn't offer anything special. My company uses enterprise plan from year already. There was tons of attacks that was bypassing cloudflare's protection system and we have spent houndred of hours asking their support for help and always response was pretty much the same (enable rate limit blah blah blah) few times they have made special rules for us but literally their protection it's just imagination. There is no protection for real websites from them that gets hit on hour basis with milions of requests. Basically only what we love in cloudflare is their datacenters amount so our streaming services with enterprise plan goes worlwide through their network but we're able to invest money in servers, main problem is that there will be lack of layer7 protection which we hope you gonna improve.

C0nw0nk commented 4 years ago

Going to Close this issue to keep track of it under the TODO list i made previously.

Sylvvvia commented 4 years ago

@C0nw0nk - rdns lookup no longer required. We have installed this module for tests:

https://github.com/flant/nginx-http-rdns