Web server
Web Service Protection Against DDoS Attacks🔗
You can use the following configuration template for Tempesta xFW to protect a web service at the L3-L4 layer (volumetric attacks).
This configuration example assumes a generic web server running on the
IPv4 address 192.169.100.4 and the IPv4-mapped IPv6 address ::192.168.100.4.
The server listens on TCP ports 80 (HTTP/1) and 443 (HTTP/1 and HTTP/2), as well
as and UDP port 443 (HTTP/3 over QUIC).
You can store the configuration in /etc/tempesta/xfw_http_rules.conf and load it
with:
/opt/tempesta/bin/tfw push --conf /etc/tempesta/xfw_http_rules.conf
In this case we assume Tempesta xFW running in host mode, so we can use following main configuraion:
# cat /etc/tempesta/xfw.conf
{
"devices": "ens3",
"devices-mode": "skb",
}
The configuration starts with the evaluation_mode option commented out. You can
uncomment it to make Tempesta xFW only log traffic to
ClickHouse and report
statistics
for traffic that would otherwise be blocked.
With this option is commented out or removed, Tempesta xFW actively blocks clients
that violate the configured rules.
xfw {
#evaluation_mode;
tcp_anomaly_filter;
tcp_syncookies passive_timer=1 flood_timer=1;
ratelimit=http_rl pps=1000 bps=131072;
dst=http4 ip4.tcp : ratelimit=http_rl {
192.168.100.4:80,
192.168.100.4:443
}
dst=http6 ip6.tcp : ratelimit=http_rl {
[::192.168.100.4]:80,
[::192.168.100.4]:443
}
dst=quic4 ip4.udp : ratelimit=http_rl {
192.168.100.4:443
}
dst=quic6 ip6.udp : ratelimit=http_rl {
[::192.168.100.4]:443
}
ratelimit=ssh_rl bps=50000 pps=500;
dst=ssh ip4.tcp : ratelimit=ssh_rl {
192.168.100.4:22
}
ratelimit=icmp_rl pps=10 bps=1000;
icmp ip4 : ratelimit=icmp_rl { 0, 3, 8, 11, 12 }
icmp ip6 : ratelimit=icmp_rl { 1, 2, 3, 4, 128, 129, 133, 134, 135, 136, 137, 143 }
defaults {
dst: allow;
icmp ip4: block;
icmp ip6: block;
}
}
Line 4 enables the TCP anomaly filter, which drops TCP floods consisting of anomalous traffic, such as malformed packets or abnormal TCP flag combinations.
Line 5 configures high-performance TCP SYN cookies to mitigate high-rate TCP SYN floods.
Line 7 defines an HTTP rate limit
named http_rl for all TCP and UDP ports used by HTTP/1, HTTP/2 and HTTP/3 over IPv4 and IPv6.
This rate limit is referenced by four dst rules covering TCP and UDP over IPv4 and IPv6. Note that IPv6 addresses are enclosed in square brackets to separate the address from the port number.
Lines 23 and 24-26 allow and rate-limit SSH connections. Typically, you also need similar rules for all other management services, such as monitoring.
Lines 28 and 29-30 rate limit the permitted ICMPv4 and ICMPv6 message types. These ICMP types are recommended to avoid hard-to-debug network connectivity issues.
Finally, lines 32-36 define the default rules:
- Allow incoming traffic to all destination ports except 22, 80 and 443. This rule is required to avoid breaking egress connections that use ephemeral ports, such as those used for system updates and other management tasks.
- Block all ICMP messages except those explicitly allowed in lines 29-30
It is important to define
dstrules with rate limits for all open ports that listen for external connections to improve overall service reliability.
In this example, the defaults section allows all destination ports for egress connections.
However, a SYN flood may target arbitrary TCP ports, forcing the system to repeatedly lookup
up non-existent listening sockets – a relatively expensive operation.
To avoid this, you can explicitly allow and rate-limit specific source
ports and IP addresses for all required egress connections, and block all other
destination ports by default.
An example configuration might look like this:
src=service1 ip4.tcp : ratelimit=service_rl {
1.1.1.1:443
}
...
src=serviceN ip4.tcp : ratelimit=service_rl {
...
}
defaults {
dst: block
}
This configuration works because src rules are processed before dst rules,
ensuring that all legitimate egress connections are allowed by Tempesta xFW.