#3701 - Harsher flood control under high load
-
By Chris Graham
- Added
- 2 views
| Identifier | #3701 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Harsher flood control under high load |
| Status | Open |
| Tags |
Type: Performance (custom) Type: Security (custom) |
| Handling member | Deleted |
| Addon | core |
| Description | A good webhost can offer DDOS protection against attacks lower in the network stack (good article saying what they do: https://www.quora.com/How-do-DDOS-mitigation-techniques-work-e-g-RioRey). Suspicious activity can be detected relatively easily, and each machine doing it is not impacting that much of a cost so it's okay to wait a little time and then block each IP in the DDOS attack individually.
However, if the attack is targeting web pages in a way that simulates a large number of real users (like a good marketing campaign), that isn't something regular DDOS protection can guard against. Serving a dynamic web page is notably more costly, so an effective attack against a webapp could be done with maybe even just one machine if that machine can rotate public IPs quickly (to avoid IP-based flood protection). Recently compo.sr was attacked in this way, by what may have been only around a dozen machines, but each machine capable of using whole ranges of IP addresses to mask themselves. To protect against this in the future (without having to set manual blocks), we need to make the flood protection apply harsher rules if the server is under high load: 1) Have the flood control script apply flood control with either the first 3, or even only first 2, IP octets (maybe configurable). 2) For a Guest accessing a non-cached page, make them solve a CAPTCHA. |
| Steps to reproduce | |
| Related to | |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
There have been no comments yet