Open unbit opened 11 years ago
prymitive
commented
11 years ago Counting only number of concurrent connection is not enoughm You also need to keep track of request rate. Otherwise You are still vulnerable to attacks like brute force cracking of login/register form or DOS against URLs that are expensive to serve and can generate high load.
I use https://github.com/nand2/libvmod-throttle in varnish for securing few URLs. Maybe it's worth looking at.
unbit
commented
11 years ago Yes request rating is another component to add, and i am analyzing the possibility to have a new router only for bandwidth limiting (something cloud users can easily put between their app server and the proxy to avoid being charged too much in case of unwanted high traffic). My idea is that this new router (the 'shaper' ?) can configure different 'virtual interfaces' with different bandwidths.
prymitive
commented
11 years ago People use open proxy for attacks so I would also advise to limit not only based on client IP, but also X-Forwarded-For header if preset. You can't trust this header if it's set by proxy/router You can't control, but misconfigured open proxy will set it, so if You have a burst of requests coming from different client IPs but they share common X-Forwarded-X header, than it's enough to detect such attack.
As each router (http/fast/raw) maintains a very big list of statistics, we can improve things to support some anti-dos pattern.
The first feature could be a concurrent-requests limiter. Basically an hash table of ips maintains the number of active connections for the same ip.
The user can configure a "soft" policy, simply reporting a warning in the logs (that you can parse and eventually trigger an alarm) or a "hard" one, triggering a block of that ip.
The stats JSON blob should report the list of blocked ips too.