Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Anti-dos policy in routers #89

unbit opened this Issue Dec 14, 2012 · 3 comments


None yet
2 participants

unbit commented Dec 14, 2012

As each router (http/fast/raw) maintains a very big list of statistics, we can improve things to support some anti-dos pattern.

The first feature could be a concurrent-requests limiter. Basically an hash table of ips maintains the number of active connections for the same ip.

The user can configure a "soft" policy, simply reporting a warning in the logs (that you can parse and eventually trigger an alarm) or a "hard" one, triggering a block of that ip.

The stats JSON blob should report the list of blocked ips too.


prymitive commented Dec 14, 2012

Counting only number of concurrent connection is not enoughm You also need to keep track of request rate. Otherwise You are still vulnerable to attacks like brute force cracking of login/register form or DOS against URLs that are expensive to serve and can generate high load.

I use https://github.com/nand2/libvmod-throttle in varnish for securing few URLs. Maybe it's worth looking at.


unbit commented Dec 15, 2012

Yes request rating is another component to add, and i am analyzing the possibility to have a new router only for bandwidth limiting (something cloud users can easily put between their app server and the proxy to avoid being charged too much in case of unwanted high traffic). My idea is that this new router (the 'shaper' ?) can configure different 'virtual interfaces' with different bandwidths.


prymitive commented Feb 18, 2013

People use open proxy for attacks so I would also advise to limit not only based on client IP, but also X-Forwarded-For header if preset. You can't trust this header if it's set by proxy/router You can't control, but misconfigured open proxy will set it, so if You have a burst of requests coming from different client IPs but they share common X-Forwarded-X header, than it's enough to detect such attack.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment