View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003701||Composr||core||public||2018-10-14 19:12||2019-06-27 15:51|
|Reporter||Chris Graham||Assigned To|
|Fixed in Version|
|Summary||0003701: Harsher flood control under high load|
|Description||A good webhost can offer DDOS protection against attacks lower in the network stack (good article saying what they do: https://www.quora.com/How-do-DDOS-mitigation-techniques-work-e-g-RioRey). Suspicious activity can be detected relatively easily, and each machine doing it is not impacting that much of a cost so it's okay to wait a little time and then block each IP in the DDOS attack individually.|
However, if the attack is targeting web pages in a way that simulates a large number of real users (like a good marketing campaign), that isn't something regular DDOS protection can guard against. Serving a dynamic web page is notably more costly, so an effective attack against a webapp could be done with maybe even just one machine if that machine can rotate public IPs quickly (to avoid IP-based flood protection).
Recently compo.sr was attacked in this way, by what may have been only around a dozen machines, but each machine capable of using whole ranges of IP addresses to mask themselves.
To protect against this in the future (without having to set manual blocks), we need to make the flood protection apply harsher rules if the server is under high load:
1) Have the flood control script apply flood control with either the first 3, or even only first 2, IP octets (maybe configurable).
2) For a Guest accessing a non-cached page, make them solve a CAPTCHA.
|Tags||Type: Performance, Type: Security|
|Time estimation (hours)||7|
|2018-10-14 19:12||Chris Graham||New Issue|
|2018-10-14 19:12||Chris Graham||Tag Attached: Type: Security|
|2018-10-14 19:13||Chris Graham||Tag Attached: Type: Performance|
|2018-10-14 19:28||Chris Graham||Relationship added||related to 0003702|
|2018-10-14 19:29||Chris Graham||Sponsorship open||0 =>|
|2018-10-14 19:29||Chris Graham||Summary||Layer-7 DDOS protection => Harsher flood control under high load|