If your service comes under a major DDOS attack, what would you do?
In the third level of Stripe’s CTF, participants were tasked to build a proxy to defend a couple of backend servers against a DDOS attack. The proxy needed to do the following:
- distribute requests across a number of backend servers
- reject requests from attackers
Here is an easy solution - track the number of requests coming from each IP address, and, with each request, update the mean and standard deviation. Then, assuming a normal distribution, calculate the z-score for each IP address. If the z-score is larger than some tolerance figure, block the IP address. (Determining the tolerance figure requires some trial-and-error.)
Here is a cooler solution
- download and build nginx, and use it to forward requests to the backend
servers. Finally, adjust the parameters in the nginx configuration, using the
limit_req module to handle bursts and block elephants.