Use syntax

[blindpet]

I am testing this now with varnish 3 and 4, is it really this simple to implement. It seems too easy as if I'm missing something.

import shield;

sub vcl_recv {
        if (req.url ~ "i-am-an-attacker") {
                shield.conn_reset();
        }
}

[aondio]

Hi, what the function in the VMOD does is:

• sets SO_LINGER with a 0 timeout on the client connection and closes the socket in order to reset the TCP. More about this can be read in "man 7 socket".

The VCL example is very basic, but it's not wrong. Of course you can implement as much logic as you want before actually calling shield.conn_reset().

[blindpet]

OK, what I'm wondering is that syntax enough to protect me from ddos attacks or do I need something else before it? This logic you speak of what should it include exactly, something like number of requests per second?

[aondio]

Hi, that syntax is enough to close the connection and reset the TCP, but before closing a connection you need to know which kind of requests are part of a ddos attack. There is some more documentation here and you might want to consider using vmod_throttle : https://github.com/varnish/libvmod-throttle (it has not be ported to V4 yet.)

There is also a old, but still gold blog post about ddos attacks: https://www.varnish-software.com/blog/withstanding-ddos-attacks-varnish-and-cots-hardware

[blindpet]

Ok gotcha, so there would have to be some logic examining the headers and resetting if they don't match, right?

So if I add a list of user agents that I will accept and say if the user agent doesn't match then reset the connection?

I'm assuming you combine throttle for requests per second and resetting the connection but I don't see a full example vcl with implementation anywhere. I'm looking for a tutorial somewhere that has all of this but have come up empty handed. They all seem to assume one knows varnish syntax and the other necessary info.

If I can understand enough to make a tutorial I will, any more sources would be great.

[blindpet]

Looks like there is a separate vthrottle for version 4 https://www.varnish-cache.org/vmod/vsthrottle-rate-limitingthrottling-v4-only

So the logic looks like if throttle is true then reset connection, correct?

[blindpet]

OK I have a basic configuration using vsthrottle, can you confirm this is the sort of correct usage to combine throttling and libvmod-shield?

If there are more than 15 requests in 10 seconds I want the connection to be reset. I think I can even drop the return statement afterwards but I will ask on vsthrottle's git for that.

I'd like to test but I'm not sure if there is a varnish tool to simulate ddos locally?

import vsthrottle;
import shield;

sub vcl_recv {
        if (vsthrottle.is_denied(client.identity, 15, 10s)) {
                # Client has exceeded 15 reqs per 10s
            shield.conn_reset();
            return (synth(429, "Too Many Requests"));
        }
}

[aondio]

I don't have an "out of box" VCL for you, but the VCL you have written seems correct. If you want to produce a lot of load why not using siege in a test environment? Or a script using curl against varnish access.log?(you can find an example of this script on my GitHub page)

[blindpet]

No worries, just a working example of how to implement it practically would be cool, it seems for my purposes combining vsthrottle and shield is the way to go.

I have gone to your page but don't see anything that resembles a curl script https://github.com/aondio unless you mean your warmup script?

[aondio]

Hi, yes, the warmup script is a very basic example on how to create load on varnish; in there I use either wget or siege, but curl can be used as well.