1

I've been playing around with the Varnish cache server and I got my webpage up lightning fast, it gets 97 Points in Google's Pagespeed and 100 @ Pingdom's. I used Varnish (proxies to nginx), NGINX (only locally available, proxies *.php to php-fpm (but I think about moving to HipHop PHP Compiler)).

So as my page was fast and only ~500/1GB of Ram were used I asked a friend of mine to perform a stress test on this machine's HTTP server. I've configured the following Anti-DDoS-mechanisms:

  • iptables Firewall limiting Connections / second
  • some more iptables checks (Sessions starting with a SYN, ICMP and so on)
  • Varnish caching
  • Re-coded the small webpage to store some values that may be fetched often in the alternate php cache (i.e.: the currently playing song, ttl of 120 should be fine)

There is no dynamic data on the webpage except for the currently playing song which is APC-powered, and definetly no need for sessions.

So now to my problem, my friend started a DoS attack from some machine he was authorized to use and my server went down VERY fast. I was umable to get on SSH so I used a serial console and checked the varnishd logs, which showed: session start session end

And this repeating all the time. I took advance of my console access and banned the IPs, ê voila my page was back.

Now since there is no need for session I need the VCL Syntax for prohibiting all sessions except for scripts in the subdir /user.

Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92
Jonny Mild
  • 11
  • 1
  • 2
  • 6
    What kind of friends do you have? – Oliver May 01 '12 at 20:41
  • 1
    He is familiar with some kinds of malware I guess, but he definetly is not a blackhat. He used 4 machines, not 4 or 40 thousand. – Jonny Mild May 01 '12 at 20:48
  • Check [nginx-naxsi](http://code.google.com/p/naxsi/). – Dmitry Verkhoturov May 02 '12 at 05:42
  • Naxsi sadly is a WAF and it will 'only' prevent Web Hacking attacks / intrusions like XSS (cross-site-scripting) or SQLi (Injecting malcious SQL into user-given SQL querys, i.e search forms) and thus won't prevent me from D(D)oS, but still thanks for the hint. – Jonny Mild May 02 '12 at 19:05

2 Answers2

4

IIRC varnish uses threads to handle connections, and is configured with a limit. So all an attacker has to do is open, say, 200 connections to the cache to block every thread (see also slowloris). On the other hand, nginx (which will happily run as a caching reverse proxy) is an event based server; the context switching is demand driven - it's only limited by the number of sockets it can have open and is hence much, MUCH more resistant to such attacks.

(varnish is still better than pre-fork or even worker apache at turning around requests without a big per-request footprint, hence you'll see a lot of people talking about using it to mitigate such DOS attacks).

You can do some stuff to mitigate DOS attacks at the networking layer using iptables and/or QOS based routing, but I'd recommend starting by using nginx as the proxy.

Community
  • 1
symcbean
  • 19,931
  • 1
  • 29
  • 49
2

You can install a tool like fail2ban or OSSEC (my favorite) to automatically block this kind of attacks. It doesn't save you from attacks with spoofed IP's (it's really difficult to defend against these), but it's a start.

Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92