Layer7 (or application layer) is one of the seven layers of the OSI (Open Systems Interconnection) model. I.e. these are smtp applications, web server, mysql, etc.
DDoS (Distributed Denial of Service) attack is a type of attack which aims to create an overload on a server or network, making it unavailable for legitimate traffic. In this case, the attacker uses multiple computers or devices to generate a large number of requests to the target server.
How does the attack happen? Many requests come in and the server runs out of CPU resource, which eats the web server itself. This prevents the web server from processing a legitimate (real) request from the user.
Usually attacks come from infected devices, but they can also come from servers that use proxy lists.
There are many methods and tools that can be used to protect web servers from DDoS attacks. The first step - the first thing to remove limits (rlimit, mysql, php, etc.) or pick them up for your server to optimize the settings (php, nginx, mysql, etc.) to reduce the load on the CPU server.
Among the possible methods of protection include:
- Using specialized solutions to protect against DDoS, such as the free Cloudflare.
- Maximum caching of static content on the server to reduce the load on the CPU. In addition, you can use caching mechanisms for dynamic pages, such as fastcgi_cache for PHP in NGINX. I.e. we will cache all pages for guests e.g. by cookies. If there is a logged in user's cookies then don't cache them etc..
- Use rate-limit rules to limit number of requests from one IP address. For example for GET 2 requests per second, for POST 1 request per second. This can be done with standard limit_req or professional https://github.com/limithit/ngx_dynamic_limit_req_module, this module can ban for N sec IP-address (with redis) which limit_req can't. We don't want to use fail2ban in 2023, do we?). You can also limit requests per page if the number of requests exceeds a certain threshold. You can limit requests by user-agent, tls hash(ja3), $http_cookie etc. (normal nginx does not support this). You can make a module (for redis, example: https://github.com/limithit/RedisPushIptables) for dynamic_limit_req_module which will ban iptables or cloudflare(limit 50000 rules) IP addresses. Also, to reduce the load CloudFlare gives us a free 1 rule rate-limit.
- Creating a script that determines how busy the server is, and if it is busy (under attack), include a rule on CloudFlare that enables captcha or spinning(I am under attack).
- Hide your real IP addresses (open services) behind CloudFlare, etc. Open services can be found via https://search.censys.io/, which scans most of the Internet or the nmap program. For example, in a letter sent from the same server as a web-server will light up the real IP-address (you can use third-party smtp-servers, usually they are paid).
- BONUS for Layer4: it is possible to make an ingenious move and do everything on IPv6, which is not yet blown). For example, if your ISP does not hold the attack and takes the IP address to blackhole, then maybe another IP address will not take away. Usually IPv6 is given by a large subnet which can be used to the maximum.
- Another idea: if client didn't load a certain resource (picture, css, js) -> block it.
In general, cloudflare fends off attacks within 10 minutes. Best of luck with the CPU savings.
And here are a few facts about the big DDoS attacks finally:
- In 2018, the Mirai attack took it to the next level when it launched one of the most powerful DDoS attacks that lasted about 11 days. The attack targeted OVH servers and reached speeds of more than 1.3 Tbps. https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/
- In 2020, Cloudflare reported a record-breaking HTTP-based DDoS attack that reached speeds of 754 million packets per second. By comparison, a typical HTTP-based DDoS attack can generate several thousand to several million packets per second. https://blog.cloudflare.com/cloudflare-mitigates-record-breaking-71-million-request-per-second-ddos-attack/