Nginx module to combat DDoS

Many have encountered such a phenomenon as DDoS attack method HTTP flood. No, this is not another tutorial on setting up nginx, I want to present my module, which works as a quick filter between bots and backends during the L7 DDoS attack and allows us to filter out garbage requests.

Module can

• Set cookies in the standard way via the HTTP Set-Cookie header. After installing cookies, redirect the user (force us to send the received cookies) using the response code 301 and the Location header
• After installing cookies, redirect the user (force us to send the received cookies) using the response code 200 and the HTML meta tag "refresh"
• Read the number of attempts to set cookies and send the user to the specified URL after exceeding the maximum number of unsuccessful attempts.
• Use custom templates for the response of the filter, in which you can do anything (for example, set cookies via JavaScript)
• To prevent automatic parsing of responses aimed at executing JavaScript, encrypt the values ​​of variables in the template with a symmetric cryptoalgorithm with further decryption through JavaScript on the client side (using SlowAES )
• Whitelist'it specified networks (for example, the networks in which search engines live)
• Some small chips useful during a DoS attack.

Can not

• The module only returns the specified responses to the client; you must make decisions about locking the client (for example, using fail2ban)
• Someone will say - “I will emulate javascript”, but let's be realistic - often DoS'yat you bots with full emulation? send them to me, we will mine bitcoins
• There is nothing in the documentation about captcha and flash - if needed, you can screw them yourself, you just need to show imagination in the configuration
• This module is not a panacea - it is only a small component in a complex of protective measures, a tool that can help if used correctly.

How it works

Most often, the bots that implement HTTP flood are pretty dumb and do not have HTTP Cookie and redirect mechanisms. Sometimes more advanced ones come across - such ones can use cookies and process redirects, but almost never the DoS bot carries with it the full-fledged JavaScript engine.

To understand the principle of the filter, the flow of client-server communication is shown below, depending on the attack scenario.

1. Bots do not understand redirects and cookies
   
   
   
   
2. Bots understand redirects and cookies, but do not know JavaScript
   
   
   
   

')

Configuration examples for main attack scenarios

• bots do not understand redirects and cookies (a typical case)

  server { listen 80; server_name domain.com; testcookie off; testcookie_name BPC; testcookie_secret keepmescret; testcookie_session $remote_addr; testcookie_arg attempt; testcookie_max_attempts 3; testcookie_fallback /cookies.html?backurl=http://$host$request_uri; testcookie_get_only on; location = /cookies.html { root /var/www/public_html; } location / { testcookie on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:8080; } } 

• bots understand redirects and cookies

   server { listen 80; server_name domain.com; testcookie off; testcookie_name BPC; testcookie_secret keepmescret; testcookie_session $remote_addr; testcookie_arg attempt; testcookie_max_attempts 3; testcookie_fallback /cookies.html?backurl=http://$host$request_uri; testcookie_get_only on; testcookie_redirect_via_refresh on; testcookie_refresh_template '<html><body><script>document.cookie="BPC=$testcookie_set";document.location.href="$testcookie_nexturl";</script></body></html>'; location = /cookies.html { root /var/www/public_html; } location / { testcookie on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:8080; } } 

• protected URL inserted into the iframe on a popular site

   server { listen 80; server_name domain.com; testcookie off; testcookie_name BPC; testcookie_secret keepmescret; testcookie_session $remote_addr; testcookie_arg attempt; testcookie_max_attempts 3; testcookie_fallback /cookies.html?backurl=http://$host$request_uri; testcookie_get_only on; testcookie_redirect_via_refresh on; testcookie_refresh_template '<html><body><script>function bla() { document.cookie="BPC=$testcookie_set";document.location.href="$testcookie_nexturl";}</script><input type="submit" value="click me" onclick="bla();"></body></html>'; location = /cookies.html { root /var/www/public_html; } location / { testcookie on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:8080; } } 

• bots have learned to pull out the value of cookies through regexp

   server { listen 80; server_name domain.com; testcookie off; testcookie_name BPC; testcookie_secret keepmescret; testcookie_session $remote_addr; testcookie_arg attempt; testcookie_max_attempts 3; testcookie_fallback /cookies.html?backurl=http://$host$request_uri; testcookie_get_only on; testcookie_redirect_via_refresh on; testcookie_refresh_encrypt_cookie on; testcookie_refresh_encrypt_cookie_key random; testcookie_refresh_encrypt_cookie_iv random; testcookie_refresh_template '<html><body>setting cookie...<script type=\"text/javascript\" src=\"/aes.min.js\" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("$testcookie_enc_key"),b=toNumbers("$testcookie_enc_iv"),c=toNumbers("$testcookie_enc_set");document.cookie="BPC="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/";document.location.href="$testcookie_nexturl";</script></body></html>'; location = /aes.min.js { gzip on; gzip_min_length 1000; gzip_types text/plain; root /var/www/public_html; } location = /cookies.html { root /var/www/public_html; } location / { testcookie on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:8080; } } 

• bots have learned how to pull parameters through regexp and decipher the value of cookies (I doubt that anyone will mess around)

   server { listen 80; server_name domain.com; testcookie off; testcookie_name BPC; testcookie_secret keepmescret; testcookie_session $remote_addr; testcookie_arg attempt; testcookie_max_attempts 3; testcookie_fallback /cookies.html?backurl=http://$host$request_uri; testcookie_get_only on; testcookie_redirect_via_refresh on; testcookie_refresh_encrypt_cookie on; testcookie_refresh_encrypt_cookie_key deadbeefdeadbeefdeadbeefdeadbeef; #   testcookie_refresh_encrypt_cookie_iv deadbeefdeadbeefdeadbeefdeadbeef; #   testcookie_refresh_template '<html><body>setting cookie...<script type=\"text/javascript\" src=\"/aes.min.js\" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers({  JS     iv,   }),b=toNumbers({  JS     ,   }),c=toNumbers("$testcookie_enc_set");document.cookie="BPC="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/";document.location.href="$testcookie_nexturl";</script></body></html>'; location = /aes.min.js { gzip on; gzip_min_length 1000; gzip_types text/plain; root /var/www/public_html; } location = /cookies.html { root /var/www/public_html; } location / { testcookie on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:8080; } } 

Source texts

A module with installation instructions and documentation is available on github under the BSD license.

Patches, add-ons, tests and bug reports are welcome.