A DDoS attack is a distributed denial of service attack. This means that an attack is coming from multiple places with a high volume of requests with the intent to bring your site down. With section.io we offer a few different levels of DDoS protection to our customers in the event of an attack.
Limit DDoS Attack with Varnish
For customers with Varnish Cache reverse proxy on their platform, we are able to limit the impact of a DDoS attack. Varnish will not block any IP addresses in the event of an attack. All requests made by a malicious attacker will be answered, however, the protection level comes from how they are answered.
With Varnish, your website has a cache that saves copy of webpage and assets. Once a copy of these files are saved in the cache, the rest of the requests can be served from the cache. So if 1,000 malicious requests come in at the same time with the intention of taking your site offline, the first request will be served and the other 999 can be served from cache, protecting the server. Varnish limits the impact of a DDoS attack by only having a fraction of requests go to the server, reducing the ability for the attack to take your website offline.
Manual Block with IP Blocking
The next level of protection is independent of the reverse proxy being used on the platform. section.io allows you to manually add IP addresses or blocks of addresses you’d like to block. Any IP addresses you add to to the “Restrictions” tab in the section.io platform will not be able to access your website.
In order to identify which IP addresses you want to to block, we recommend using Kibana within our platform to view your logs. During an attack you will see a high volume of requests coming from one or more IP addresses. To find IP addresses with a high volume of requests, you can look to “http_x_forwarded_for” in Kibana. This is a header that creates a chain of IP addresses representing all the IPs that handled the request in order including the original client (which will be the leftmost value).
Kibana will show the percentage of records that have the same value for “http_x_forwarded_for” and therefore the IP addresses with the most requests will rise to the top. You will want to ensure that total traffic is up in Kibana (which you can see if there is an uptick in logs via the default view which show total number of logs) to confirm you are in the middle of an attack.
Automatically Block with Web Application Firewall
For customers with with Modsecurity reverse proxy on their platform, we can automatically block requests. Modsecurity works by having a set of rules that it uses to determine malicious traffic. Out of the box, we have the core OWASP rule set but you can also define additional rules.
By default Modsecurity is in Detection Only mode which means that it will look at traffic based on rules and log its findings. This lets you review the rules and see how it would impact your site if it was actively blocking requests. By changing Modsecurity from DetectOnly to On to enable protection mode, we will start blocking traffic based on the rules defined.
Protect your site with Varnish Cache, Modsecurity and our CDN today
section.io allows developers to choose the level of protection their site needs, whether it is basic DDoS protection through our CDN and Varnish Cache or more advanced protection through ModSecurity’s Web Application Firewall. Test out your security configurations by signing up for a free trial account, or contact us with any website security questions.