View Issue Details

IDProjectCategoryView StatusLast Update
0003701Composrcorepublic2019-06-27 15:51
ReporterChris GrahamAssigned To 
Severityfeature 
Status non-assignedResolutionopen 
Product Version 
Fixed in Version 
Summary0003701: Harsher flood control under high load
DescriptionA good webhost can offer DDOS protection against attacks lower in the network stack (good article saying what they do: https://www.quora.com/How-do-DDOS-mitigation-techniques-work-e-g-RioRey). Suspicious activity can be detected relatively easily, and each machine doing it is not impacting that much of a cost so it's okay to wait a little time and then block each IP in the DDOS attack individually.

However, if the attack is targeting web pages in a way that simulates a large number of real users (like a good marketing campaign), that isn't something regular DDOS protection can guard against. Serving a dynamic web page is notably more costly, so an effective attack against a webapp could be done with maybe even just one machine if that machine can rotate public IPs quickly (to avoid IP-based flood protection).

Recently compo.sr was attacked in this way, by what may have been only around a dozen machines, but each machine capable of using whole ranges of IP addresses to mask themselves.

To protect against this in the future (without having to set manual blocks), we need to make the flood protection apply harsher rules if the server is under high load:

1) Have the flood control script apply flood control with either the first 3, or even only first 2, IP octets (maybe configurable).

2) For a Guest accessing a non-cached page, make them solve a CAPTCHA.
TagsType: Performance, Type: Security
Attach Tags
Time estimation (hours)7
Sponsorship open

Relationships

related to 0003702 non-assigned Backing-off algorithm for flood control 

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2018-10-14 19:12 Chris Graham New Issue
2018-10-14 19:12 Chris Graham Tag Attached: Type: Security
2018-10-14 19:13 Chris Graham Tag Attached: Type: Performance
2018-10-14 19:28 Chris Graham Relationship added related to 0003702
2018-10-14 19:29 Chris Graham Sponsorship open 0 =>
2018-10-14 19:29 Chris Graham Summary Layer-7 DDOS protection => Harsher flood control under high load