How to Enable Ddos Protection

How to enable DDoS protection?

DDOS is a family of attacks which overwhelm key systems in the datacenter including:

  • The hosting center's network connection to the internet
  • The hosting center's internal network and routers
  • Your firewall and load balancers
  • Your web servers, application servers and database.

Before you start on building your DDOS defence, consider what the worst-case value-at-risk is. For a non-critical, free-to-use service for a small community, the total value at risk might be peanuts. For a paid-for, public-facing, mission-critical system for an established multi-billion dollar business, the value might be the worth of the company. In this latter case, you shouldn't be using StackExchange :) Anyway, to defend against DDOS, you need a defence in-depth approach:

  1. Work with your hosting center to understand the services they offer, including IP and port filtering at their network connections to the internet and firewall services they offer. This is critical: Many sites are pulled from the internet by the hosting company as the hosting company deals with the data center-wide disruption caused by the DDOS to one customer. Also, during an DDOS attack, you will be working very closely with the hosting center's staff, so know their emergency numbers and be on good terms with them :) They should be able to block of whole international regions, completely block specific services or network protocols and other broad-spectrum defensive measures, or alternatively allow only whitelisted IPs (depending on your business model)
  2. While on the hosting center - use a Content Delivery Network to distribute (mainly static) services close to your end users and hide your real servers from the DDOS architects. The full CDN is too big for a DDOS to take out all nodes in all countries; if the DDOS is focused on one country, at least other users are still OK.

  3. Keep all your systems and software packages updated with the latest security patches - and I mean all of them:

    • Managed switches - yup these sometimes need updating
    • Routers
    • Firewalls
    • Load balancers
    • Operating systems
    • Web servers
    • Languages and their libraries

  4. Ensure that you have a good firewall or security appliance set up and regularly reviewed by a qualified security expert. Strong rules on the firewall are a good defence against many simple attacks. It's also useful to be able to manage bandwidth available for each open service.

  5. Have good network monitoring tools in place - this can help you understand:

    • That you're under attack rather than simply being under heavy load
    • Where the attack is coming from (which may include countries you don't normally do business with) and
    • What the attack actually is (ports, services, protocols, IPs and packet contents)

  6. The attack might simply be heavy use of legitimate web site services (eg hitting 'legal' URIs running queries or inserting/updating/deleting data) - thousands or millions of requests coming from tens to millions of different IP addresses will bring a site to its knees. Alternatively, some services might be so expensive to run that only a few requests cause a DOS - think a really expensive report. So you need good application level monitoring of what is going on:

    • Which services have been invoked and what arguments/data are sent (i.e. logging in your application)
    • Which users are doing the invoking and from which IPs (i.e. logging in your application)
    • What queries and inserts/updates/deletes the DB is performing
    • Load average, CPU utilization, disk i/o, network traffic on all computers (and VMs) in your system
    • Making sure that all this information is easily retrievable and that you can correlate logs from different computers and services (i.e. ensure all computers are time synchronized using ntp).

  7. Sensible constraints and limits in your application. For example, you might:

    • Use a QoS feature in the load balancer to send all anonymous sessions to separate application servers in your cluster, while logged-on users use another set. This prevents an application-level anonymous DDOS taking out valuable customers
    • Using a strong CAPCHA to protect anonymous services
    • Session timeouts
    • Have a session-limit or rate-limit on certain types of request like reports. Ensure that you can turn off anonymous access if necessary
    • Ensure that a user has a limit to the number of concurrent sessions (to prevent a hacked account logging on a million times)
    • Have different database application users for different services (eg transactional use vs. reporting use) and use database resource management to prevent one type of web request from overwhelming all others
    • If possible make these constraints dynamic, or at least configurable. This way, while you are under attack, you can set aggressive temporary limits in place ('throttling' the attack), such as only one session per user, and no anonymous access. This is certainly not great for your customers, but a lot better than having no service at all.

  8. Last, but not least, write a DOS Response Plan document and get this internally reviewed by all relevant parties: Business, Management, the SW dev team, the IT team and a security expert. The process of writing the document will cause you and your team to think through the issues and help you to be prepared if the worst should happen at 3am on your day off. The document should cover (among other things):

    • What is at risk, and the cost to the business
    • Measures taken to protect the assets
    • How an attack is detected
    • The planned response and escalation procedure
    • Processes to keep the system and this document up-to-date

So, preamble aside, here are some specific answers:

DDOS are generally blocked on a server level, right?

Not really - most of the worst DDOS attacks are low-level (at the IP packet level) and are handled by routing rules, firewalls, and security devices developed to handle DDOS attacks.

Is there a way to block it on a PHP level, or at least reduce it?

Some DDOS attacks are aimed at the application itself, sending valid URIs and HTTP requests. When the rate of requests goes up, your server(s) begin to struggle and you will have an SLA outage. In this case, there are things you can do at the PHP level:

  • Application level monitoring: Ensure each service/page logs requests in a way that you can see what is going on (so you can take actions to mitigate the attack). Some ideas:

    • Have a log format that you can easily load into a log tool (or Excel or similar), and parse with command-line tools (grep, sed, awk). Remember that a DDOS will generate millions of lines of log. You will likely need to slice'n'dice your logs (especially with respect to URI, time, IP and user) to work out what is going on, and need to generate data such as:

      • What URIs are being accessed
      • What URIs are failing at a high rate (a likely indicator of the specific URIs the attackers are attacking)
      • Which users are accessing the service
      • How many IPs are each user accessing the service from
      • What URIs are anonymous users accessing
      • What arguments are being used for a given service
      • Audit a specific users actions

    • Log the IP address of each request. DON'T reverse DNS this - ironically the cost of doing this makes a DDOS easier for the attackers

    • Log the whole URI and HTTP method, eg "GET http://example.com/path/to/service?arg1=ddos"
    • Log the User ID if present
    • Log important HTTP arguments

  • Sensible rate limits: You might implement limits on how many requests a given IP or User can make in a given time period. Could a legitimate customer make more than 10 requests per second? Can anonymous users access expensive reports at all?

  • CAPTCHA for anonymous access: Implement a CAPTCHA for all anonymous requests to verify that the user is a person, not a DDOS bot.

What's the fastest and most common way to stop DDOS attacks?

The fastest is probably to give in to the blackmail, although this might not be desirable.

Otherwise, the first thing you to do is contact your hosting and/or CDN provider and work with them (if they haven't contacted you already asking what the hell is going on...). When a DDOS occurs, it will likely collaterally affect other customers of the hosting provider, and the provider may be under considerable pressure to shut down your site simply to protect their resources. Be prepared to share your logs (any and all information) with the provider; these logs, combined with their network monitors, may together provide enough information to block/mitigate the attack.

If you are expecting a DDOS, it's a very good idea to qualify your hosting provider on the level of protection they can provide. They should have DDOS experience and tools to mitigate it - understand their tools, processes and escalation procedures. Also ask about what support the hosting provider has from their upstream providers. These services might mean more up-front or monthly cost, but treat this as an insurance policy.

While under attack, you will need to grab your logs and mine them - try and work out the pattern of the attack. You should consider switching off anonymous access and throttling the services under attack (i.e. decrease the application's rate limit for the service).

If lucky and you have a small, fixed customer-base, you might be able to determine your valid customers IP addresses. If this is the case, you might switch to a white-list approach for a short while. Make sure all your customers know this is going on so they can call if they need to access from a new IP :)

Doug McClean has some great advice at: https://stackoverflow.com/a/1029613/1395668

Microsoft Azure DDoS protection alert not recevied

Unlike DDoS Protection Basic, the DDoS Protection Standard supports Metrics & alerts and hence allows user for configuration of alerts for any of the Azure Monitor metrics that DDoS Protection uses and thus Azure DDoS Protection Standard service helps in protection based on telemetry data from Azure Monitor Service.

As part of cofiguration steps, once the DDoS protection plan is created and selected, you may need to create an alert rule in Azure monitor so that notifications are sent if there is a DDoS attack.

For receiving email alerts, you need to configure an email alert for the preferred metric using “Click to add an alert”. Here, the metric of interest is “Under DDoS attack or not”. Set the Metric for “Under DDoS attack or not” and alert logic “Condition” to “Greater than” zero (0) and you will receive alert email while on attack. Also, you need to ensure filling in appropriate threshold values , evaluation details as per your alert requirement for getting the alerts coupled with filling in email details in action group.

How does companies do Anti-DDoS Protection

You will need to have an own network/rack/asn in order to filter traffic with XDP and hardware firewalls. Iptables are not helping very much on udp / they only deny traffic.

ModSecurity not detecting DDoS attack on DVWA

OWASP ModSecurity Core Rule Set Developer on Duty here. First thing to note, ModSecurity version 2.9.3 is quite old (2018!). The current v2 release is version 2.9.5, which features important security and bug fixes. You should seriously consider using the latest version for anything beyond a private sandbox.

Second thing to note, OWASP Core Rule Set (CRS) version 3.4 is our development branch. It's under heavy development and is being radically changed right now (this very week, even). You'll probably want to use our latest official release, which is version 3.3.2 (see https://github.com/coreruleset/coreruleset/releases/tag/v3.3.2).

Wfuzz is indeed listed as a scanner (you can find it listed in the file rules/scanners-user-agents.data). CRS rule 913100 inspects the User-Agent headers of requests and compares them against the contents of scanners-user-agents.data. That's why you're seeing log lines containing "Found User-Agent associated with security scanner": the presence of "Wfuzz" causes that rule to match. You can find the rule in the file rules/REQUEST-913-SCANNER-DETECTION.conf, if you're interested.

ModSecurity is not designed to prevent (D)DoS attacks. It can be made to do so, but it isn't good at it. In fact, just a few days ago, we removed the DoS capabilities from the CRS v3.4/dev branch (like I said, the dev branch is being radically changed as we speak!). For an explanation on this topic, see https://github.com/coreruleset/dos-protection-plugin-modsecurity-v2#plugin-expectations-suitability-and-scale.

If you really want to test DoS rules, take a look at the CRS 3.3.2 release, which still included our DoS rules as standard (in the file rules/REQUEST-912-DOS-PROTECTION.conf). Find the section "Anti-Automation / DoS Protection" in the main configuration file, crs-setup.conf, to configure the DoS rules for use. There are also blog posts and tutorials available online that walk through how to write your own DoS protection rules for ModSecurity, similar to what you described (e.g. "detect 20 requests, then block further requests"). It just requires leveraging ModSecurity's persistent collections mechanism, to store state information between requests (e.g. a running count of "how many requests has this IP address sent?").

But, to reiterate the point: neither ModSecurity or OWASP CRS will stop DoS attacks by default.

Good luck with your project!

How do I enable Vm protection in my virtual network on Azure Portal?

enableVmProtection is a legacy flag that has been now been deprecated and replaced with enableDdosProtection. This is why the API no longer returns this property.

More info in this GitHub issue: Function of --vm-protection #14059

Coming to enableDdosProtection, this property indicates if DDoS protection is enabled for all the protected resources in the virtual network. It requires a DDoS protection plan associated with the resource.

The steps to enable DDoS protection for an existing virtual network are detailed in this article.

Is it possible to prevent DDos Attack by cpanel configuration and php scripting?

First, if you are under attack, protect by sessions is not effective.

Second, if you implements an anti-dos method under php, you are adding process, and the DOS attack is ever effective.

The web server listen on TCP protocol, a udp attack is to the server, no your site, prevent the attack is on side of the server, a.k.a, your hosting provider.

Sorry my english


Related Topics

PHP Function That Creates a Nested Ul Li

PHP Warning: MySQLi_Close() Expects Parameter 1 to Be MySQLi

PHP to Clean-Up Pasted Microsoft Input

Use Openssl_Encrypt to Replace Mcrypt for 3Des-Ecb Encryption

Composer Update Failed -- Out of Memory

Fatal Error: Out of Memory, But I Do Have Plenty of Memory (Php)

Laravel 5 Hasmany Relationship on Two Columns

Remove Duplicate Items from an Array

In PHP How to Inspect Content of a Zip File Without Extracting Its Content First

Warning: Preg_Replace(): Unknown Modifier 'G'

Detect If Android App Has Been Installed on the Device Using a Mobile Web Page - PHP and Js

PHP How to Write Data to Middle of File Without Rewriting File

Process HTML Files Like PHP

MySQL - Insert Date Range into Date Columns If Dates Don't Overlap with Existing Ones

Performance of Static Methods VS. Functions

How to Set a Class Attribute to a Symfony2 Form Input

Downloading Attachments to Directory with Imap in PHP, Randomly Works

Pretty Urls in PHP Frameworks


Leave a reply



Submit