• I. Overview

      1. What is a distributed denial of service (DDoS) attack?
      1. Prevent a DDoS attack

  • II. Some solutions to prevent DDOS in our projects

      1. Cloudflare
      1. Nginx
      • 2.1 Overview
      • 2.2 Sample to config nginx
      1. AWS
      1. Application protection layer

    I. Overview

    1. What is a distributed denial of service (DDoS) attack?

    A distributed denial-of-service (DDoS) attack attempts to disrupt the traffic of a targeted server, service, or network by overwhelming it with a flood of Internet traffic. By sending too many requests for information to a server, site, or network, a DDoS can effectively shut down a server — leaving it vulnerable and disrupting the normal business operations of an organization.

    2. Prevent a DDoS attack

    While DDoS attacks come in many shapes and sizes, there are measures you can take to protect your organizations from these threats. There is no one solution to preventing DDoS attacks, but using the following tips in conjunction can lessen the potential for one:

    1. Know your network’s traffic
    2. Create a Denial of Service Response Plan
    3. Make your network resilient
    4. Practice good cyber hygiene
    5. Scale up your bandwidth
    6. Take advantage of anti-DDoS hardware and software
    7. Move to the cloud
    8. Know the symptoms of a DDoS attack
    9. Outsource your DDoS protection
    10. Continuously monitor for unusual activity

    II. Some solutions to prevent DDOS in our projects

    1. Cloudflare

    We can use Cloudflare to prevent DDoS attacks. Cloudflare is a cloud-based service that provides various security and performance features for websites and applications. One of its features is DDoS protection, which is unmetered and unlimited for all customers on all plans and services (read more)

    Cloudflare's DDoS protection works by using its global network of over 285 cities and 100 countries to block malicious traffic before it reaches your servers. Cloudflare also uses dynamic fingerprinting to automatically detect and mitigate DDoS attacks without requiring any user action. Cloudflare can protect your web services (L7), your TCP/UDP applications (L4), and your network infrastructure (L3) from different types of DDoS attacks

    Some of the benefits of using Cloudflare to prevent DDoS attacks are:

    • Easy setup. You can easily onboard your website or application to Cloudflare in minutes from the dashboard or the API
    • Scalable resources. You don't have to worry about running out of bandwidth or server capacity, as Cloudflare can handle any amount of traffic
    • Advanced features. You can also use Cloudflare's other features, such as caching, load balancing, firewall, bot management, and more, to enhance your security and performance
    • [Affordable pricing. Cloudflare offers a free basic package that includes unmetered DDoS mitigation, as well as paid plans that offer more advanced protection and support](https://www.cloudflare.com/ddos/https://support.cloudflare.com/hc/en-us/articles/200170196-Responding-to-DDoS-attacks.)

    2. Nginx

    2.1 Overview

    Nginx is a popular web server that can handle high volumes of traffic and provide various features to improve security and performance. One of the ways to prevent DDoS attacks with Nginx is to use some of the following techniques:

    • Use a software firewall. You can use tools like iptables, UFW, or CSF to block unwanted traffic and limit the number of connections per IP address
    • Tweak Nginx parameters. You can adjust the number of worker processes and connections, the timeout values, the buffer sizes, and the request limits to optimize Nginx for handling DDoS attacks
    • Enable rate limiting. You can use the limit_req module to limit the number of requests that a client can make within a certain time frame. This can help prevent excessive requests from flooding your server.
    • Use proxy caching. You can use the proxy_cache module to cache static and dynamic content from your backend servers. This can reduce the load on your servers and improve the response time for your users
    • Use geo-blocking. You can use the geo module to block or allow traffic based on the geographic location of the client. This can help filter out traffic from regions that are known to be sources of DDoS attacks
    • Use HTTP/2. You can enable HTTP/2 protocol on Nginx to improve the efficiency and speed of data transfer between the client and the server. HTTP/2 also reduces the number of connections and requests needed to load a web page

    These are some of the ways you can prevent DDoS attacks with Nginx, but they are not exhaustive or foolproof. You should always monitor your server's performance and logs, and be ready to take additional measures if needed.

    2.2 Sample to config nginx

    There is no definitive answer to how to configure Nginx to prevent DDoS attacks, as different settings may work better for different scenarios and websites. However, here are some examples of Nginx configuration directives that can help mitigate DDoS attacks:

    • limit_req_zone. This directive creates a shared memory zone that can store the number of requests for each client IP address. You can use this zone to limit the rate of requests from a single IP address using the limit_req directive For example:
    limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;

    This creates a zone named "one" with a size of 10 MB and allows 30 requests per minute from each IP address.

    • limit_conn_zone. This directive creates a shared memory zone that can store the number of connections for each client IP address. You can use this zone to limit the number of connections from a single IP address using the limit_conn directive. For example:
    # This creates a zone named "two" with a size of 10 MB 
# and stores the number of connections for each IP address.
limit_conn_zone $binary_remote_addr zone=two:10m;
    • limit_req. This directive limits the rate of requests for a given location or server. It uses the zone created by the limit_req_zone directive and can specify a burst parameter that allows exceeding the limit for a short time. For example:
    # This limits the requests to 30 per minute (as defined by the zone "one") 
# and allows a burst of 5 requests.
limit_req zone=one burst=5;
    • limit_conn. This directive limits the number of connections for a given location or server. It uses the zone created by the limit_conn_zone directive and can specify a maximum number of connections. For example:
    # This limits the connections to 10 per IP address (as defined by the zone "two").
limit_conn two 10;
    • geo. This directive creates a variable with a value that depends on the client IP address. You can use this variable to block or allow traffic based on the geographic location of the client. For example:
    # This creates a variable named "$bad_country" that is set to 1 for China and Russia
# and 0 for other countries. 
# If the variable is 1 Nginx returns a special status code 444 
# that closes the connection without sending any response.
geo $bad_country {
  default 0;
  CN 1;
  RU 1;
}

if ($bad_country) {
  return 444;
}
    • proxy_cache. This directive enables caching of static and dynamic content from your backend servers. This can reduce the load on your servers and improve the response time for your users. For example:
    # This creates a cache zone named "my_cache" 
# with a size of 10 GB and stores the cached files in /var/cache/nginx. 
# It also sets the cache to expire after 60 minutes of inactivity.
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=60m use_temp_path=off;
proxy_cache my_cache;
    • proxy_cache_key. This directive defines the key for caching requests. You can use various variables to create a unique key for each request. For example:
    # This creates a cache key based on the scheme, method, host, and URI of the request.
proxy_cache_key "$scheme$request_method$host$request_uri";
    • proxy_cache_valid. This directive sets the validity time for different response codes. You can use this directive to specify how long to cache different types of responses. For example:
    
# This sets the cache validity time to 10 minutes for 200 and 302 responses, 
# and to 1 minute for 404 responses.
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
    • proxy_no_cache. This directive defines conditions under which the response will not be saved to a cache. You can use this directive to prevent caching of certain responses based on variables. For example:
    # This prevents caching of responses if there is a "nocache" cookie or argument, 
# or a "comment" argument.
proxy_no_cache $cookie_nocache $arg_nocache$arg_comment;
    • proxy_cache_bypass. This directive defines conditions under which the request will be passed to the backend server without using a cached copy. You can use this directive to bypass the cache for certain requests based on variables. For example:
    # This bypasses the cache if there is a "nocache" cookie or argument, 
# or a "comment" argument.
proxy_cache_bypass $cookie_nocache $arg_nocache$arg_comment;

    References

    • https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
    • [https://webhostinggeeks.com/howto/nginx-ddos-attack-tutorial/.](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/https://webhostinggeeks.com/howto/nginx-ddos-attack-tutorial/)
    • https://www.thetechedvocate.org/how-to-prevent-a-ddos-attack-with-nginx/

    3. AWS

    AWS is a cloud platform that provides various services and features to help you prevent and mitigate DDoS attacks. Some of the ways to prevent DDoS attacks with AWS are:

    • Use AWS Shield. AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. AWS Shield Standard provides protection against common network and transport layer DDoS attacks for all AWS customers at no additional charge. AWS Shield Advanced is a paid service that provides additional protections for internet-facing applications running on Amazon EC2, ELB, CloudFront, AWS Global Accelerator, and Route 53. AWS Shield can automatically detect and mitigate DDoS attacks without requiring any user action
    • Use AWS WAF. AWS WAF is a web application firewall that helps protect your web applications from common web exploits and application layer DDoS attacks. You can use AWS WAF to create custom rules that block or allow requests based on criteria such as IP addresses, HTTP headers, HTTP body, or URI strings. You can also use AWS WAF with AWS Shield Advanced to get access to the Shield Response Team (SRT), a group of experts who can help you respond to DDoS attacks
    • Use Amazon CloudFront. Amazon CloudFront is a content delivery network (CDN) that improves the performance and security of your web applications. CloudFront can help prevent DDoS attacks by caching static and dynamic content at the edge locations, reducing the load on your origin servers. CloudFront can also integrate with AWS Shield and AWS WAF to provide additional layers of protection against DDoS attacks
    • Use Amazon Route 53. Amazon Route 53 is a highly available and scalable domain name system (DNS) service that can help prevent DDoS attacks by routing traffic to healthy endpoints and away from unhealthy ones. Route 53 can also integrate with AWS Shield and CloudFront to provide additional resilience against DDoS attacks
    • Use other AWS services and features. You can also use other AWS services and features to prevent DDoS attacks by following the best practices for reducing the attack surface area, building application architecture for scalability and availability, preparing for DDoS incidents, and monitoring and analyzing DDoS attacks. Some of these services and features are:
    • Amazon VPC: You can use Amazon VPC to create isolated virtual networks for your AWS resources, and use security groups and network ACLs to control the inbound and outbound traffic.
    • Amazon EC2: You can use Amazon EC2 to launch virtual servers for your applications, and use features such as auto scaling, elastic load balancing, security groups, network ACLs, instance metadata service (IMDSv2), etc. to improve the performance and security of your instances.
    • Amazon S3: You can use Amazon S3 to store and serve static content for your web applications, and use features such as encryption, versioning, lifecycle policies, bucket policies, etc. to protect your data.
    • Amazon CloudWatch: You can use Amazon CloudWatch to monitor the performance and health of your AWS resources, and use features such as metrics, alarms, dashboards, logs, events, etc. to detect and respond to anomalies or incidents.
    • AWS Trusted Advisor: You can use AWS Trusted Advisor to get recommendations on how to optimize your AWS resources for cost, performance, security, and fault tolerance

    References

    • https://aws.amazon.com/shield/
    • https://aws.amazon.com/blogs/security/how-to-protect-your-web-application-against-ddos-attacks-by-using-amazon-route-53-and-a-content-delivery-network/
    • [https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/welcome.html.](https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/welcome.html.)
    • [https://aws.amazon.com/shield/ddos-attack-protection/.](https://aws.amazon.com/shield/ddos-attack-protection/)

    4. Application protection layer

    • Use 3rd software to monitor and detect DDOS
    • Block or response success with empty data with code 200 without execute API / service
    • Use some frontend technique, check header or execute a frontend (browser) script. Server side will detect and redirect browser if have no related data
    • Apply cache layer and respond data quickly instead of querying to API, services accordingly
    • Monitor requests and detect which services need to be scaled then upgrade / scale accordingly.