Advanced Layer 4 DDoS Protection

Advanced DDoS Protection: NGINX, HAProxy, Fail2Ban, and iptables Setup

DDoS attacks, especially Layer 4 DDoS attacks, can overwhelm servers with high traffic, making your website or application unavailable. To mitigate these threats, a combination of NGINX, HAProxy, Fail2Ban, and iptables can effectively filter malicious traffic and ensure high availability. In this guide, we’ll walk you through the steps to configure these tools to protect your infrastructure.

---

1. Setting Up NGINX for Layer 4 DDoS Protection

NGINX is a powerful web server and reverse proxy, which can be configured to limit the number of connections and requests per second, helping to mitigate SYN floods, TCP ACK floods, and other Layer 4 attacks.

a. Limit Connections Per IP

1. Open the NGINX configuration file (/etc/nginx/nginx.conf):

   sudo nano /etc/nginx/nginx.conf

2. Add the following configuration to limit the number of simultaneous connections per IP:

   http {
       limit_conn_zone $binary_remote_addr zone=addr:10m;

       server {
           listen 80;

           # Limit connections to 10 per IP
           limit_conn addr 10;

           location / {
               proxy_pass http://your_backend;
           }
       }
   }

3. Save and test NGINX configuration:

   sudo nginx -t
   sudo systemctl restart nginx

b. Rate Limiting

1. Modify the configuration to limit the rate of requests:

   http {
       limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;

       server {
           listen 80;

           location / {
               limit_req zone=req_limit_per_ip burst=20 nodelay;
               proxy_pass http://your_backend;
           }
       }
   }

2. Test and restart NGINX:

   sudo nginx -t
   sudo systemctl restart nginx

---

2. Configuring Fail2Ban for DDoS Protection

Fail2Ban is an intrusion prevention software framework that can monitor log files and automatically block IPs showing malicious activity. It’s excellent for blocking malicious requests based on the behavior observed in logs.

a. Install Fail2Ban

1. Install Fail2Ban on your server:

   sudo apt update
   sudo apt install fail2ban

2. Create a new Fail2Ban configuration file for NGINX:

   sudo nano /etc/fail2ban/jail.d/nginx-ddos.conf

3. Add the following configuration:

   [nginx-ddos]
   enabled = true
   filter = nginx-ddos
   action = iptables-allports[name=HTTP, protocol=all]
   logpath = /var/log/nginx/access.log
   maxretry = 5
   findtime = 60
   bantime = 600

4. Create the corresponding filter for Fail2Ban:

   sudo nano /etc/fail2ban/filter.d/nginx-ddos.conf

5. Add the following failregex:

   [Definition]
   failregex = ^<HOST> -.*"(GET|POST).*HTTP.*" 403
   ignoreregex =

6. Restart Fail2Ban:

   sudo systemctl restart fail2ban

b. Monitor Fail2Ban Status

To monitor which IPs are banned, run:

sudo fail2ban-client status nginx-ddos

---

3. Configuring HAProxy for DDoS Mitigation

HAProxy is a powerful load balancer and proxy that can be configured to limit connections and reject requests from malicious sources.

a. Install HAProxy

1. Install HAProxy on your server:

   sudo apt update
   sudo apt install haproxy

b. Configure HAProxy for Rate Limiting

1. Open the HAProxy configuration file (/etc/haproxy/haproxy.cfg):

   sudo nano /etc/haproxy/haproxy.cfg

2. Add the following configuration to limit the number of connections:

   frontend http_front
       bind *:80
       maxconn 1000
       acl too_many_connections conn_cur(0) gt 100
       tcp-request connection reject if too_many_connections

3. Restart HAProxy:

   sudo systemctl restart haproxy

---

4. Configuring iptables for DDoS Protection

iptables is a firewall utility that can be used to filter incoming traffic and prevent DDoS attacks by rate-limiting connections or blocking specific types of traffic.

a. Limit Connections with iptables

1. Limit the number of incoming TCP connections per second:

   sudo iptables -A INPUT -p tcp --syn --dport 80 -m state --state NEW -m recent --set
   sudo iptables -A INPUT -p tcp --syn --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j REJECT

2. Limit UDP traffic to DNS (port 53) to prevent UDP floods:

   sudo iptables -A INPUT -p udp --dport 53 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT

b. Save iptables Rules

To ensure your iptables rules persist after a reboot:

sudo iptables-save > /etc/iptables/rules.v4

---

Conclusion

Combining NGINX, HAProxy, Fail2Ban, and iptables provides a robust solution to protect against Layer 4 DDoS attacks. These tools offer a multi-layer defense by limiting connections, rate-limiting traffic, blocking malicious IPs, and filtering traffic before it reaches your application.

By following the steps outlined above, you can significantly reduce the impact of DDoS Layer 4 attacks and ensure the stability and availability of your website and applications even during high-traffic events. Keep monitoring your logs, adjust thresholds, and stay ahead of potential threats with these advanced security measures.