[Security] - Improve DDoS resilience #628

New Issue

Open

opened 2023-08-20 21:05:10 +02:00 by meaz · 2 comments

meaz commented

2023-08-20 21:05:10 +02:00

Owner

See https://ddos-test.com/result/disroot.org

meaz added the

needs_refine

label 2023-08-20 21:05:23 +02:00

avg_joe commented

2023-08-20 21:26:27 +02:00

Owner

an example with A-rating: https://ddos-test.com/result/bundestag.de

meaz commented

2024-02-18 11:24:11 +01:00

Author

Owner

Some ideas @muppeth but I'm far from being an expert on that :)

The system keeps idle TCP client connections open for more than 45.0 seconds

In nginx.conf, keepalive_timeout {{ nginx_http_keepalive_timeout }}; and in defaults: nginx_http_keepalive_timeout: '30 30' shouldn't it be just 30?

The system answered with a HTTP 2xx or 3xx code instead of disallowing invalid HTTP/1.3 requests

Should we set nginx_ssl_protocols: 'TLSv1.2' then, by removing TLSv1.3?

The system keeps idle TCP client connections open for more than 45.0 seconds:

Should we add

net.ipv4.tcp_keepalive_time=30
net.ipv4.tcp_keepalive_intvl=15
net.ipv4.tcp_keepalive_probes=3

in base role template ?

The system answered with a HTTP 2xx or 3xx code instead of disallowing HTTP POST to the / URL.

Should we add

location / {
    limit_except GET HEAD {
        deny all;
    }
}

The system does not block malicious user agents like sqlmap

We could create a file with Blocked User Agents, e.g., /etc/nginx/blocked-user-agents, and list the user agents we want to block, one per line:

sqlmap

Then in nginx.conf, in http, we could add:

map $http_user_agent $block_user_agent {
        include /etc/nginx/blocked-user-agents;
        default 0;
    }

and then in vhost:

location / {
        if ($block_user_agent) {
            return 403;
        }

The system sets a value of 128 MAX_CONCURRENT_STREAMS in HTTP/2, which is larger then the common default of 100 and might be dangerous.

I don't get it coz default seems to be set to 128: https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_concurrent_streams

Some ideas @muppeth but I'm far from being an expert on that :) # The system keeps idle TCP client connections open for more than 45.0 seconds In `nginx.conf`, `keepalive_timeout {{ nginx_http_keepalive_timeout }};` and in defaults: `nginx_http_keepalive_timeout: '30 30'` shouldn't it be just `30`? # The system answered with a HTTP 2xx or 3xx code instead of disallowing invalid HTTP/1.3 requests Should we set `nginx_ssl_protocols: 'TLSv1.2'` then, by removing `TLSv1.3`? # The system keeps idle TCP client connections open for more than 45.0 seconds: Should we add ``` net.ipv4.tcp_keepalive_time=30 net.ipv4.tcp_keepalive_intvl=15 net.ipv4.tcp_keepalive_probes=3 ``` in base role template ? # The system answered with a HTTP 2xx or 3xx code instead of disallowing HTTP POST to the / URL. Should we add ``` location / { limit_except GET HEAD { deny all; } } ``` # The system does not block malicious user agents like sqlmap We could create a file with Blocked User Agents, e.g., /etc/nginx/blocked-user-agents, and list the user agents we want to block, one per line: ``` sqlmap ``` Then in `nginx.conf`, in `http`, we could add: ``` map $http_user_agent $block_user_agent { include /etc/nginx/blocked-user-agents; default 0; } ``` and then in vhost: ``` location / { if ($block_user_agent) { return 403; } ``` # The system sets a value of 128 MAX_CONCURRENT_STREAMS in HTTP/2, which is larger then the common default of 100 and might be dangerous. I don't get it coz default seems to be set to 128: https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_concurrent_streams