Protecting your website and applications from advanced DDoS attacks requires a combination of several strategies. In this guide, we will cover three essential methods to mitigate Layer 7 and Layer 3 DDoS attacks:
- Reverse Proxy Caching with NGINX
- Geo-Blocking to restrict traffic from specific countries
- Rate Limiting at the OS Firewall level to filter malicious traffic before it hits your application
These methods, when implemented together, form a robust defense against DDoS and other malicious activities.
1. Reverse Proxy Caching with NGINX
Reverse Proxy Caching helps offload traffic from your backend servers by caching content at the proxy level. This reduces the number of requests that need to be processed by your web server, making it harder for DDoS attacks to affect your system.
a. Install NGINX with Caching Support
Ensure that NGINX is installed with caching modules. On most systems, NGINX supports caching by default.
sudo apt update
sudo apt install nginxb. Configuring Reverse Proxy Caching in NGINX
Here’s how you can configure Reverse Proxy Caching for static content such as images, JavaScript, and CSS files.
- Create a cache directory to store the cached files:
sudo mkdir /var/cache/nginx
sudo chown -R www-data:www-data /var/cache/nginx- Edit the NGINX configuration file (
/etc/nginx/nginx.conf) to include caching settings:
http {
# Define a cache zone (10MB cache size)
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC_CACHE:10m max_size=100m inactive=60m;
proxy_temp_path /var/cache/nginx/temp;
server {
listen 80;
location / {
# Enable caching for static files
proxy_cache STATIC_CACHE;
proxy_cache_valid 200 60m;
proxy_cache_valid 404 1m;
# Cache the response and add caching headers
add_header X-Cache-Status $upstream_cache_status;
proxy_pass http://your_backend_server;
}
}
}proxy_cache_path: Defines the location and size for cached content.proxy_cache: Enables caching for the specific location.proxy_cache_valid: Defines how long cached content is considered valid (e.g., 60 minutes for a successful response).
- Test NGINX configuration and restart the service:
sudo nginx -t
sudo systemctl restart nginxc. Benefits of Reverse Proxy Caching
- Offloads traffic: Frequently requested content is served directly from the cache, reducing load on your backend.
- Reduces DDoS impact: Cached content is served without hitting your web server, helping mitigate the impact of DDoS attacks that try to overwhelm your servers.
2. Geo-Blocking with NGINX
Geo-blocking is the process of restricting or blocking traffic based on the geographical location of the request. You can block or limit access from certain countries that are known sources of malicious traffic.
a. Install the GeoIP2 Module (If Necessary)
To enable Geo-blocking in NGINX, you’ll need the GeoIP2 module or a similar solution. The easiest method is to use MaxMind’s GeoIP2 database for location-based filtering.
- Install the required package to use GeoIP2 with NGINX:
sudo apt install libmaxminddb0 libmaxminddb-dev mmdb-bin- Download the GeoIP2 database:
sudo mkdir /etc/nginx/geoip
cd /etc/nginx/geoip
wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz
gunzip GeoLite2-Country.mmdb.gz- Configure NGINX to use the GeoIP2 database:
Edit yournginx.conffile to include thegeoipsettings:
http {
# Load the GeoIP2 module
load_module modules/ngx_http_geoip_module.so;
# Define the path to the GeoIP2 database
geoip_country /etc/nginx/geoip/GeoLite2-Country.mmdb;
server {
listen 80;
location / {
# Block traffic from certain countries
if ($geoip_country_code = "CN") {
return 403;
}
if ($geoip_country_code = "RU") {
return 403;
}
# Allow other traffic
proxy_pass http://your_backend_server;
}
}
}In this example, traffic from China (CN) and Russia (RU) will be blocked, and all other traffic will proceed as usual.
b. Benefits of Geo-Blocking
- Blocks malicious traffic: Restricting traffic from countries with known cyber threats can help prevent DDoS attacks.
- Customizable: You can tailor the blocking rules based on your region and risk factors.
3. Rate Limiting at the OS Firewall Level
Rate limiting at the firewall level helps prevent a high volume of requests from overwhelming your server. By configuring rate limiting using iptables (for Linux systems), you can mitigate both Layer 3 and Layer 4 DDoS attacks.
a. Install and Configure Iptables for Rate Limiting
- Limit incoming requests to your server’s HTTP port (port 80) from a single IP address to prevent abuse:
sudo iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j REJECT--hitcount 20: Limits to 20 requests per minute.--seconds 60: The time window for the requests (1 minute).--update: Tracks requests from each IP address.
- Rate limit UDP traffic (for example, DNS requests):
sudo iptables -A INPUT -p udp --dport 53 -i eth0 -m limit --limit 5/sec --limit-burst 10 -j ACCEPTThis limits the UDP traffic to 5 requests per second with a burst of 10.
- Save iptables rules to ensure they persist after reboot:
sudo iptables-save > /etc/iptables/rules.v4b. Benefits of Rate Limiting at the Firewall Level
- Reduces traffic load: Rate limiting blocks excessive traffic before it reaches your application server.
- Protects against Layer 3 and 4 DDoS: Prevents traffic floods such as SYN floods or UDP floods from overwhelming your server.
Conclusion
By implementing Reverse Proxy Caching, Geo-Blocking, and Rate Limiting at the firewall level, you can significantly enhance your DDoS protection strategy. These techniques reduce server load, block malicious traffic, and help prevent resource exhaustion caused by large-scale attacks. Here’s a summary of the benefits:
- Reverse Proxy Caching reduces the load on your backend by serving cached content to legitimate users.
- Geo-Blocking allows you to restrict access from specific countries known for malicious traffic.
- Rate Limiting at the OS Firewall prevents DDoS attacks by controlling the amount of traffic hitting your server.
Together, these solutions form a powerful defense against advanced DDoS and malicious traffic, keeping your systems secure and operational even under attack.
Leave a Reply