Features Request List

[Sylvvvia]

Okay i have fully tested your script. It work very well however it is easy to bypass your script. Below i list features you should implement to provide better security.

1. Sensor Mode (Requested Already)
2. Reverse dns checkup on crawling bots (Google, Yahoo etc..)
3. Random Delay in short range (Before javascript puzzle starts)
4. Randomize more javascript puzzle
5. Cookie validation with session (store session on server)
6. Implement better javascript encryption (current one can be easily decoded)
7. SpamHaus integration (Enable/Disable block user that is in spamhaus botnet database)

Optional Features:

8. Implement themes system so people can change interestial page design
9. Config system, so people will no need to scroll over entire file to make changes
10. Partial Module so each module is loaded from other file it will make it easier for future changes.

[C0nw0nk]

Okay i have fully tested your script. It work very well

however it is easy to bypass your script.

If you are refering to what you said in number 6 on your list then any Javascript encryption can always be decoded that is why i randomize it is every page refresh would yield a different encryption method it is extremely difficult to be bypassed because they need to know the puzzle question and answer and to reply to it in the required encrypted header strings. All requiring them to see the Authentication page in the first place there is no automated way to get this information and as soon as you change the Javascript puzzle.

This to be exact.

--local JavascriptPuzzleVars = [[22 + 22]] --44
--local JavascriptPuzzleVars_answer = "44" --if this does not equal the equation above you will find access to your site will be blocked make sure you can do maths!?

--Make our Javascript puzzle a little bit more dynamic than the static equation above it will change every 24 hours :) I made this because the static one is pretty poor security compared to this but this can be improved allot though.
--TODO: IMPROVE THIS!
local JavascriptPuzzleVars = [[parseInt("]] .. os.date("%Y%m%d",os.time()-24*60*60) .. [[", 10) + parseInt("]] .. os.date("%d%m%Y",os.time()-24*60*60) ..[[", 10)]] --Javascript output of our two random numbers
local JavascriptPuzzleVars_answer = os.date("%Y%m%d",os.time()-24*60*60) + os.date("%d%m%Y",os.time()-24*60*60) --lua output of our two random numbers
local JavascriptPuzzleVars_answer = math.floor(JavascriptPuzzleVars_answer+0.5) --fix bug removing the 0. decimal on the end of the figure
local JavascriptPuzzleVars_answer = tostring(JavascriptPuzzleVars_answer) --convert the numeric output to a string

It would break there method it is possible but extremely difficult same as Google Captcha is possible to be bypassed but extremely difficult. Let alone the fact that what the config sets for expire_time means they will have to solve another puzzle in a few hours anyway / days depending on your config setting.

Below i list features you should implement to provide better security.

1. Sensor Mode (Requested Already)

You need to describe what this is because I have no idea what you are talking about with this ?

2. Reverse dns checkup on crawling bots (Google, Yahoo etc..)

The only reason I don't want to be doing Reverse DNS is because when connecting to external sources it can cause slow downs / lag it defeats the purpose of a ddos script if you create an external flaw that can intentionaly slow it down in order to get data / wait for data response.

3. Random Delay in short range (Before javascript puzzle starts)

So rather than the puzzle be solved by the browser as soon as the browser can solve it you want to delay the browser for like another 3 seconds before it solves the puzzle ?

4. Randomize more javascript puzzle

I was asked about this and gave my answer here it is TODO list item but not a urgent one #31 (comment)

5. Cookie validation with session (store session on server)

No. There is no need to store their sessions on the server itself when my session method of salted hashes and browser cookies works fine... And besides that is a terrible thing to do when under attack because 1million requests = 1million sessions to be stored means your server storage gets maxed out with bogus sessions it is a very very bad idea and to easy to exploit.

6. Implement better javascript encryption (current one can be easily decoded)

Going back to this again it is not a urgent thing on my TODO list #31 (comment)

7. SpamHaus integration (Enable/Disable block user that is in spamhaus botnet database)

That goes back to my comment about connecting to external sources it is a bottle neck that can degrade speed and performance when they are slow in answering your query on a IP that is connecting you want that information ASAP when they slow for 500ms your site can't respond for 500ms until you get that answer about is that IP malicious or not.

Optional Features:

1. Implement themes system so people can change interestial page design

Easy enough.

2. Config system, so people will no need to scroll over entire file to make changes

I put the config area at the top of the file so nobody has to scroll down any lower.

3. Partial Module so each module is loaded from other file it will make it easier for future changes.

Could be good maybe to make to add some features that I do not want to be associated with the CORE of this script and have them be dropped on as plugins by users if they need them.
https://github.com/openresty/lua-nginx-module#lua-variable-scope

Will see what i can do when it comes to it.

Currently what I have listed here #29

Are my priority right now everything else is a maybe but if other people do build things in and make a Pull request to the repo I will accept them and that will speed things up in features area currently I am building allot in my spare time through my own needs on my own servers.

[Sylvvvia]

Sensor Mode - Automatic attack detection mentoined this but noticed later that it was already requested.
Reverse DNS checkup can be made only when someone is requesting with bot user agent. Imagine now that you whitelist google bot and you get ddos with 1mln requests per second with google bot user agent. And no there is no proper way to whitelist it except reverse dns lookup since google changes their ip range almost all the time.
SpamHaus can be integrated as .dat file so you're not making any external request simply lookup on the ip range in file.

[C0nw0nk]

Ok I see so you want localized files for them then that is possible but it will have to wait for me to finish the Auto-DDoS switch feature since that requires a shared memory zone then those features could also use it.

…

On Wed, 8 Apr 2020, 21:17 Sylvvvia, ***@***.***> wrote: Sensor Mode - Automatic attack detection mentoined this but noticed later that it was already requested. Reverse DNS checkup can be made only when someone is requesting with bot user agent. Imagine now that you whitelist google bot and you get ddos with 1mln requests per second with google bot user agent. And no there is no proper way to whitelist it except reverse dns lookup since google changes their ip range almost all the time. SpamHaus can be integrated as .dat file so you're not making any external request simply lookup on the ip range in file. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#34 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC5DUK5HBU2556ANDQAV47TRLTLWTANCNFSM4MEDD4RQ> .

[Sylvvvia]

Would also suggest integration of custom error display like cloudflare has. Once those features will exist i would gladly switch from current cloudflare enterprise plan to your script. Since we get ddos every day for now it's simply not safe for us.

[C0nw0nk]

You can use it with cloudflare even on unproxied domains dns only etc I made it compatible with all since that is how I currently use it In a production environment. But the custom errors should be easy to implement I will put that on the todo list since it can be done pretty quickly. Don't get me wrong I love cloudflare but their pricing is awful and I am a believer in for everyone not for their monopoly market and I want those who can't afford or use such services to have the same quality protection.

…

On Wed, 8 Apr 2020, 21:26 Sylvvvia, ***@***.***> wrote: Would also suggest integration of custom error display like cloudflare has. Once those features will exist i would gladly switch from current cloudflare enterprise plan to your script. Since we get ddos every day for now it's simply not safe for us. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#34 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC5DUK7FDKHEYGCNJUX5KZDRLTMY7ANCNFSM4MEDD4RQ> .

[Sylvvvia]

Well cloudflare even in enterprise doesn't offer anything special. My company uses enterprise plan from year already. There was tons of attacks that was bypassing cloudflare's protection system and we have spent houndred of hours asking their support for help and always response was pretty much the same (enable rate limit blah blah blah) few times they have made special rules for us but literally their protection it's just imagination. There is no protection for real websites from them that gets hit on hour basis with milions of requests. Basically only what we love in cloudflare is their datacenters amount so our streaming services with enterprise plan goes worlwide through their network but we're able to invest money in servers, main problem is that there will be lack of layer7 protection which we hope you gonna improve.

[C0nw0nk]

Going to Close this issue to keep track of it under the TODO list i made previously.

[Sylvvvia]

@C0nw0nk - rdns lookup no longer required. We have installed this module for tests:

https://github.com/flant/nginx-http-rdns